How to configure Antiforgery Cookie to be securely set when deployed behind reverse proxy, such as Træfik?

[aDisplayName]

When Aspnet.core blazor app is deployed behind a level 7 reverse proxy, such as traefik, how to make sure the antiforgery cookie set in the client browser has the "SECURE" flag set?

In our setup - k3s cluster engine, Traefik is used as the reverse proxy to handle all the HTTPS and HTTP request from 443 and 90 ports. We deploy our .NET 8 Blazor server app into the same cluster. The HTTPS request from the browser at the user side, will be handled by Traefik first, which will terminate the HTTPS session and forward the plain HTTP request to our Blazor server app.

As the result, the antifogery cookies set by the response of the request to our Blazor server app does not have the "SECURE" flag set, and our IT Security team complains about it.

The traefik has already enabled the forwarded header with the X-Forwarded-Proto set to "https". The following flags were set after the blazor sever app was loaded in browser:

.AspNetCore.Antiforgery.-nAxxxxx=yyyyyyy; path=/; samesite=strict; httponly

As we can see, the SEURE flag was not being set.

We have tried to use the following config in Program.cs

builder.Services.AddAntiforgery(o => o.Cookie.SecurePolicy = CookieSecurePolicy.Always);

then after we redeploy the app, the following exception was thrown:

Microsoft.AspNetCore.Components.Infrastructure.ComponentStatePersistenceManager[1000] There was an error executing a callback while pausing the application. System.InvalidOperationException: The antiforgery system has the configuration value AntiforgeryOptions.Cookie.SecurePolicy = Always, but the current request is not an SSL request.
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.CheckSSLConfig(HttpContext context)
at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetAndStoreTokens(HttpContext httpContext)
at Microsoft.AspNetCore.Components.Endpoints.Forms.EndpointAntiforgeryStateProvider.GetAntiforgeryToken()   

Traced it back to

aspnetcore/src/Antiforgery/src/Internal/DefaultAntiforgery.cs

Line 256 in e31f630

private void CheckSSLConfig(HttpContext context)

    private void CheckSSLConfig(HttpContext context)
    {
        if (_options.Cookie.SecurePolicy == CookieSecurePolicy.Always && !context.Request.IsHttps)
        {
            throw new InvalidOperationException(Resources.FormatAntiforgery_RequiresSSL(
                string.Join(".", nameof(AntiforgeryOptions), nameof(AntiforgeryOptions.Cookie), nameof(CookieBuilder.SecurePolicy)),
                nameof(CookieSecurePolicy.Always)));
        }
    }

It seems the context.Request.IsHttps does not check the forwarded proto result.

My question is, is there a way for aspnet core app deployed behind a Level 7 reverse proxy still able to set the AntiForgery cookie with SECURE flag set?

Regards

[aDisplayName]

#18650