JWT RequireSecureConnection override through HTTP Header

jantytgat · February 17, 2018, 10:46am

Hi,

My goal is to put my ServiceStack applications behind a reverse proxy to perform SSL Offloading (Citrix NetScaler).
However, in doing so, connections coming through to my authentication endpoints will not go through a secured connection.

In JWT, there is an option to set RequireSecuredConnection to true, to make sure all requests were sent over a secure link.
In the situation above, the only way to indicate that the request was sent over an SSL connection, is by inserting the X-Forwarded-Proto header (this is an official HTTP header, just like X-Forwarded-For) between the reverse proxy and the application host.

Is it possible to detect this header so that RequireSecuredConnection can remain to be set to true, whilst checking for the value of that header? (It should always be either http or https).

Kind regards,
Jan

mythz · February 17, 2018, 10:52am

This should already be the default behavior of IsSecureConnection, if you’re not seeing this behavior can include the raw HTTP Request/Response Headers (with any sensitive info scrubbed out) and let me know which host you’re using ServiceStack with (e.g. ASP.NET, .NET Core or HttpListener)

jantytgat · February 17, 2018, 11:00am

Didn’t know about that one. Thanks for the quick reply!