Class LocalhostCertTrust

Namespace
Kuestenlogik.Bowire.Auth
Assembly
Kuestenlogik.Bowire.dll

Resolves whether a Bowire protocol plugin should trust a self-signed certificate served from a loopback address. Off by default — production hosts always validate strictly via the OS trust store. The opt-in is designed for the ASP.NET Core dev-certs flow on developer machines and CI containers where dotnet dev-certs https --trust hasn't run.

Settings hierarchy (first hit wins):

  • Bowire:{PluginId}:TrustLocalhostCert — per-plugin override. Use when one plugin needs different cert handling than the host's global default (e.g. enable for SignalR but stay strict for REST).
  • Bowire:TrustLocalhostCert — global default for every TLS- bearing plugin. Recommended choice for a typical local-dev host.
  • Otherwise — false.

Even when the flag is on, the relaxed validation only fires for URLs whose host is localhost, 127.0.0.1 or ::1. A production hostname accidentally seen by a misconfigured Bowire host is still validated against the OS trust store. 

public static class LocalhostCertTrust
Inheritance
LocalhostCertTrust
Inherited Members

Methods

IsLocalhostUrl(string)

True when the URL points at localhost, 127.0.0.1, or ::1. Defence in depth — every relaxed-validation path guards on this in addition to the configuration flag.

public static bool IsLocalhostUrl(string url)

Parameters

url string

Returns

bool

IsTrustedFor(IConfiguration?, string, string)

True if url is loopback AND the host has opted in for either the named plugin or the global default.

public static bool IsTrustedFor(IConfiguration? config, string pluginId, string url)

Parameters

config IConfiguration

Application IConfiguration; usually obtained by the plugin from its Initialize service provider. Null returns false (standalone / test paths without DI hosting).

pluginId string

Plugin id like "signalr" / "websocket". Case-sensitive against the config key.

url string

Target URL the plugin is about to open.

Returns

bool