Skip to content

[release/10.0] AppContext for HttpSys CBT hardening #64298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wtgodbe merged 1 commit into from
Nov 13, 2025
Merged

[release/10.0] AppContext for HttpSys CBT hardening #64298

wtgodbe merged 1 commit into from
Nov 13, 2025

Conversation

@BrennanConroy
Copy link
Member

@BrennanConroy BrennanConroy commented Nov 10, 2025

AppContext for HttpSys CBT hardening

Description

Request from a partner team to allow setting hardened security for their HTTP.Sys applications.

Customer Impact

By default there is no impact, this change is opt-in. If the change is enabled then it sets hardened security for the endpoints exposed by the HTTP.Sys application.

Regression?

  • Yes
  • No

Risk

  • High
  • Medium
  • Low

Purely opt-in change. We've also verified the change with the partner team.

Verification

  • Manual (required)
  • Automated

Packaging changes reviewed?

  • Yes
  • No
  • N/A

@BrennanConroy BrennanConroy added this to the 10.0.x milestone Nov 10, 2025
Copilot AI review requested due to automatic review settings November 10, 2025 23:04
@BrennanConroy BrennanConroy added the Servicing-consider Shiproom approval is required for the issue label Nov 10, 2025
Copilot AI reviewed Nov 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds opt-in support for Channel Binding Token (CBT) hardening in HttpSys through an AppContext switch. By default, there is no impact to existing applications as this security hardening feature is disabled unless explicitly enabled.

  • Adds HTTP_CHANNEL_BIND_INFO native struct support
  • Implements CBT hardening configuration via AppContext switch Microsoft.AspNetCore.Server.HttpSys.EnableCBTHardening
  • Sets hardening level to HttpAuthenticationHardeningMedium when enabled

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/Servers/HttpSys/src/NativeMethods.txt Adds HTTP_CHANNEL_BIND_INFO to the native methods list for P/Invoke generation
src/Servers/HttpSys/src/NativeInterop/UrlGroup.cs Implements CBT hardening configuration in UrlGroup constructor when AppContext switch is enabled

src/Servers/HttpSys/src/NativeInterop/UrlGroup.cs
Comment on lines +50 to +55
var channelBindingSettings = new HTTP_CHANNEL_BIND_INFO
{
Hardening = HTTP_AUTHENTICATION_HARDENING_LEVELS.HttpAuthenticationHardeningMedium,
ServiceNames = (HTTP_SERVICE_BINDING_BASE**)IntPtr.Zero,
NumberOfServiceNames = 0,
};
Copy link

Copilot AI Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The HTTP_CHANNEL_BIND_INFO struct is missing the Flags field initialization. All other similar HTTP_*_INFO structs in this codebase (e.g., HTTP_BINDING_INFO, HTTP_CONNECTION_LIMIT_INFO, HTTP_TIMEOUT_LIMIT_INFO, HTTP_SERVER_AUTHENTICATION_INFO) set Flags = HttpApi.HTTP_PROPERTY_FLAGS_PRESENT to indicate the property is being set. This field should be added for consistency and to ensure proper property setting behavior.

Copilot uses AI. Check for mistakes.
src/Servers/HttpSys/src/NativeInterop/UrlGroup.cs
ServiceNames = (HTTP_SERVICE_BINDING_BASE**)IntPtr.Zero,
NumberOfServiceNames = 0,
};
SetProperty(HTTP_SERVER_PROPERTY.HttpServerChannelBindProperty, new(&channelBindingSettings), (uint)ChannelBindInfoSize);
Copy link

Copilot AI Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The IntPtr construction uses target-typed new expression new(&channelBindingSettings) which is inconsistent with other SetProperty calls in this file that use explicit new IntPtr(&...) (lines 76, 87, 97, 130, 146). For consistency with the existing codebase, use new IntPtr(&channelBindingSettings) instead.

Suggested change
SetProperty(HTTP_SERVER_PROPERTY.HttpServerChannelBindProperty, new(&channelBindingSettings), (uint)ChannelBindInfoSize);
SetProperty(HTTP_SERVER_PROPERTY.HttpServerChannelBindProperty, new IntPtr(&channelBindingSettings), (uint)ChannelBindInfoSize);

Copilot uses AI. Check for mistakes.
@rbhanda rbhanda modified the milestones: 10.0.x, 10.0.2 Nov 11, 2025
@wtgodbe wtgodbe added Servicing-approved Shiproom has approved the issue and removed Servicing-consider Shiproom approval is required for the issue labels Nov 13, 2025
@wtgodbe
Copy link
Member

wtgodbe commented Nov 13, 2025

Approved over email

@wtgodbe wtgodbe merged commit b029371 into release/10.0 Nov 13, 2025
31 of 34 checks passed
@wtgodbe wtgodbe deleted the brecon/10cbt branch November 13, 2025 22:50
@dotnet-policy-service dotnet-policy-service bot modified the milestones: 10.0.2, 10.0.1 Nov 13, 2025
@dotnet-maestro dotnet-maestro bot mentioned this pull request Nov 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JamesNK JamesNK JamesNK approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

+1 more reviewer

@shethaadit shethaadit shethaadit approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Servicing-approved Shiproom has approved the issue

Projects

None yet

Milestone

10.0.1

Development

Successfully merging this pull request may close these issues.

6 participants

@BrennanConroy @wtgodbe @JamesNK @shethaadit @rbhanda