Skip to content

[release/9.0] AppContext for HttpSys CBT hardening #64297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 13, 2025
Merged

[release/9.0] AppContext for HttpSys CBT hardening #64297

merged 1 commit into from
Nov 13, 2025
+14 −0

Conversation

@BrennanConroy
Copy link
Member

@BrennanConroy BrennanConroy commented Nov 10, 2025

AppContext for HttpSys CBT hardening

Description

Request from a partner team to allow setting hardened security for their HTTP.Sys applications.

Customer Impact

By default there is no impact, this change is opt-in. If the change is enabled then it sets hardened security for the endpoints exposed by the HTTP.Sys application.

Regression?

  • Yes
  • No

Risk

  • High
  • Medium
  • Low

Purely opt-in change. We've also verified the change with the partner team.

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

@BrennanConroy BrennanConroy added this to the 9.0.x milestone Nov 10, 2025
Copilot AI review requested due to automatic review settings November 10, 2025 23:03
@BrennanConroy BrennanConroy added the Servicing-consider Shiproom approval is required for the issue label Nov 10, 2025
Copilot finished reviewing on behalf of BrennanConroy November 10, 2025 23:05
Copilot AI reviewed Nov 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds an opt-in AppContext switch (Microsoft.AspNetCore.Server.HttpSys.EnableCBTHardening) that enables hardened Channel Binding Token (CBT) security for HTTP.Sys applications. This change was requested by a partner team to support enhanced security configurations.

Key changes:

  • Added support for HTTP_CHANNEL_BIND_INFO native structure
  • Implemented CBT hardening configuration in UrlGroup constructor with medium hardening level
  • Made the feature opt-in via AppContext switch to ensure no impact to existing applications

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/Servers/HttpSys/src/NativeMethods.txt Added HTTP_CHANNEL_BIND_INFO to the list of native types for P/Invoke generation
src/Servers/HttpSys/src/NativeInterop/UrlGroup.cs Implemented CBT hardening logic in UrlGroup constructor, checking AppContext switch and calling SetProperty with channel binding settings

src/Servers/HttpSys/src/NativeInterop/UrlGroup.cs
ServiceNames = (HTTP_SERVICE_BINDING_BASE**)IntPtr.Zero,
NumberOfServiceNames = 0,
};
SetProperty(HTTP_SERVER_PROPERTY.HttpServerChannelBindProperty, new(&channelBindingSettings), (uint)ChannelBindInfoSize);
Copy link

Copilot AI Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SetProperty call in the constructor should handle potential errors. If this call fails, the UrlGroup is still constructed but without CBT hardening, which could lead to a silent security configuration failure. Consider adding error handling or logging similar to other property setters in this class, or document that failures are intentionally ignored during construction.

Suggested change
SetProperty(HTTP_SERVER_PROPERTY.HttpServerChannelBindProperty, new(&channelBindingSettings), (uint)ChannelBindInfoSize);
try
{
SetProperty(HTTP_SERVER_PROPERTY.HttpServerChannelBindProperty, new(&channelBindingSettings), (uint)ChannelBindInfoSize);
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to set CBT hardening on UrlGroup during construction. Security configuration may be incomplete.");
// Optionally, rethrow or handle as needed for your application's security requirements.
}

Copilot uses AI. Check for mistakes.
@rbhanda rbhanda modified the milestones: 9.0.x, 9.0.12 Nov 11, 2025
@wtgodbe wtgodbe added Servicing-approved Shiproom has approved the issue and removed Servicing-consider Shiproom approval is required for the issue labels Nov 13, 2025
@wtgodbe
Copy link
Member

wtgodbe commented Nov 13, 2025

Approved over email

@wtgodbe wtgodbe merged commit d52b491 into release/9.0 Nov 13, 2025
28 of 31 checks passed
@wtgodbe wtgodbe deleted the brecon/9cbt branch November 13, 2025 21:40
@dotnet-policy-service dotnet-policy-service bot modified the milestones: 9.0.12, 9.0.11 Nov 13, 2025
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Nov 13, 2025

Hi @@BrennanConroy. This PR was just approved to be included in the upcoming servicing release. Somebody from the @dotnet/aspnet-build team will get it merged when the branches are open. Until then, please make sure all the CI checks pass and the PR is reviewed.

@wtgodbe wtgodbe modified the milestones: 9.0.11, 9.0.12 Nov 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JamesNK JamesNK JamesNK approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

Assignees

No one assigned

Labels

Servicing-approved Shiproom has approved the issue

Projects

None yet

Milestone

9.0.12

Development

Successfully merging this pull request may close these issues.

5 participants

@BrennanConroy @wtgodbe @JamesNK @rbhanda