Security considerations in gRPC for ASP.NET Core
Note
This isn't the latest version of this article. For the current release, see the .NET 8 version of this article.
Warning
This version of ASP.NET Core is no longer supported. For more information, see .NET and .NET Core Support Policy. For the current release, see the .NET 8 version of this article.
Important
This information relates to a pre-release product that may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
For the current release, see the .NET 8 version of this article.
This article provides information on securing gRPC with .NET Core.
Transport security
gRPC messages are sent and received using HTTP/2. We recommend:
- Transport Layer Security (TLS) be used to secure messages in production gRPC apps.
- gRPC services should only listen and respond over secured ports.
TLS is configured in Kestrel. For more information on configuring Kestrel endpoints, see Kestrel endpoint configuration.
TLS is configured in Kestrel. For more information on configuring Kestrel endpoints, see Kestrel endpoint configuration.
A TLS termination proxy can be combined with TLS. The benefits of using TLS termination should be considered against the security risks of sending unsecured HTTP requests between apps in the private network.
Exceptions
Exception messages are generally considered sensitive data that shouldn't be revealed to a client. By default, gRPC doesn't send the details of an exception thrown by a gRPC service to the client. Instead, the client receives a generic message indicating an error occurred. Exception message delivery to the client can be overridden (for example, in development or test) with EnableDetailedErrors. Exception messages shouldn't be exposed to the client in production apps.
Message size limits
Incoming messages to gRPC clients and services are loaded into memory. Message size limits are a mechanism to help prevent gRPC from consuming excessive resources.
gRPC uses per-message size limits to manage incoming and outgoing messages. By default, gRPC limits incoming messages to 4 MB. There is no limit on outgoing messages.
On the server, gRPC message limits can be configured for all services in an app with AddGrpc
:
public void ConfigureServices(IServiceCollection services)
{
services.AddGrpc(options =>
{
options.MaxReceiveMessageSize = 1 * 1024 * 1024; // 1 MB
options.MaxSendMessageSize = 1 * 1024 * 1024; // 1 MB
});
}
Limits can also be configured for an individual service using AddServiceOptions<TService>
. For more information on configuring message size limits, see gRPC configuration.
Client certificate validation
Client certificates are initially validated when the connection is established. By default, Kestrel doesn't perform additional validation of a connection's client certificate.
We recommend that gRPC services secured by client certificates use the Microsoft.AspNetCore.Authentication.Certificate package. ASP.NET Core certification authentication will perform additional validation on a client certificate, including:
- Certificate has a valid extended key use (EKU)
- Is within its validity period
- Check certificate revocation