Microsoft.AspNetCore.Http.Features
The HTTP authentication feature.
Gets or sets the associated with the HTTP request.
Use to dynamically control response compression for HTTPS requests.
No value has been specified, use the configured defaults.
Opts out of compression over HTTPS. Enabling compression on HTTPS requests for remotely manipulable content
may expose security problems.
Opts into compression over HTTPS. Enabling compression on HTTPS requests for remotely manipulable content
may expose security problems.
Provides information about rejected HTTP requests.
Synchronously retrieves the exception associated with the rejected HTTP request.
Allows reading the request body as a HTTP form.
Indicates if the request has a supported form content-type.
Gets or sets the parsed form.
This API will return a non-null value if the
request body was read using or , or
if a value was explicitly assigned.
Parses the request body as a form.
If the request body has not been previously read, this API performs a synchronous (blocking) read
on the HTTP input stream which may be unsupported or can adversely affect application performance.
Consider using instead.
The .
Parses the request body as a form.
Controls the IO behavior for the and
Gets or sets a value that controls whether synchronous IO is allowed for the and
Information regarding the TCP/IP connection carrying the request.
Gets or sets the unique identifier for the connection the request was received on. This is primarily for diagnostic purposes.
Gets or sets the IPAddress of the client making the request. Note this may be for a proxy rather than the end user.
Gets or sets the local IPAddress on which the request was received.
Gets or sets the remote port of the client making the request.
Gets or sets the local port on which the request was received.
Used with protocols that require the Extended CONNECT handshake such as HTTP/2 WebSockets and WebTransport.
https://www.rfc-editor.org/rfc/rfc8441#section-4
Indicates if the current request is a Extended CONNECT request that can be transitioned to an opaque connection via AcceptAsync.
The :protocol header included in the request.
Send the response headers with a 200 status code and transition to opaque streaming.
An opaque bidirectional stream.
Feature to inspect and modify the maximum request body size for a single request.
Indicates whether is read-only.
If true, this could mean that the request body has already been read from
or that was called.
The maximum allowed size of the current request body in bytes.
When set to null, the maximum request body size is unlimited.
This cannot be modified after the reading the request body has started.
This limit does not affect upgraded connections which are always unlimited.
Defaults to the server's global max request body size limit.
Provides access to tags added to the metrics HTTP request counter. This feature isn't set if the counter isn't enabled.
Gets the tag collection.
Used to indicate if the request can have a body.
Indicates if the request can have a body.
This returns true when:
-
It's an HTTP/1.x request with a non-zero Content-Length or a 'Transfer-Encoding: chunked' header.
-
It's an HTTP/2 request that did not set the END_STREAM flag on the initial headers frame.
The final request body length may still be zero for the chunked or HTTP/2 scenarios.
This returns false when:
-
It's an HTTP/1.x request with no Content-Length or 'Transfer-Encoding: chunked' header, or the Content-Length is 0.
-
It's an HTTP/1.x request with Connection: Upgrade (e.g. WebSockets). There is no HTTP request body for these requests and
no data should be received until after the upgrade.
-
It's an HTTP/2 request that set END_STREAM on the initial headers frame.
When false, the request body should never return data.
Contains the details of a given request. These properties should all be mutable.
None of these properties should ever be set to null.
Gets or set the HTTP-version as defined in RFC 7230. E.g. "HTTP/1.1"
Gets or set the request uri scheme. E.g. "http" or "https".
Note this value is not included in the original request,
it is inferred by checking if the transport used a TLS
connection or not.
Gets or sets the request method as defined in RFC 7230. E.g. "GET", "HEAD", "POST", etc..
Gets or sets the first portion of the request path associated with application root.
The value is un-escaped. The value may be .
Gets or sets the portion of the request path that identifies the requested resource.
The value may be if contains the full path,
or for 'OPTIONS *' requests.
The path is fully decoded by the server except for '%2F', which would decode to '/' and
change the meaning of the path segments. '%2F' can only be replaced after splitting the path into segments.
Gets or sets the query portion of the request-target as defined in RFC 7230. The value
may be . If not empty then the leading '?' will be included. The value
is in its original form, without un-escaping.
Gets or sets the request target as it was sent in the HTTP request.
This property contains the raw path and full query, as well as other request targets
such as * for OPTIONS requests ().
This property is not used internally for routing or authorization decisions. It has not
been UrlDecoded and care should be taken in its use.
Gets or sets headers included in the request, aggregated by header name.
The values are not split or merged across header lines. E.g. The following headers:
- HeaderA: value1, value2
- HeaderA: value3
Result in Headers["HeaderA"] = { "value1, value2", "value3" }
Gets or sets a representing the request body, if any.
may be used to represent an empty request body.
Feature to uniquely identify a request.
Gets or sets a value to uniquely identify a request.
This can be used for logging and diagnostics.
Provides access to the HTTP request lifetime operations.
A that fires if the request is aborted and
the application should cease processing. The token will not fire if the request
completes successfully.
Forcefully aborts the request if it has not already completed. This will result in
RequestAborted being triggered.
This feature exposes HTTP request trailer headers, either for HTTP/1.1 chunked bodies or HTTP/2 trailing headers.
Indicates if the are available yet. They may not be available until the
request body is fully read.
The trailing headers received. This will throw if
returns false. They may not be available until the request body is fully read. If there are no trailers this will
return an empty collection.
Used to send reset messages for protocols that support them such as HTTP/2 or HTTP/3.
Send a reset message with the given error code. The request will be considered aborted.
The error code to send in the reset message.
An aggregate of the different ways to interact with the response body.
The for writing the response body.
A representing the response body, if any.
Opts out of write buffering for the response.
Starts the response by calling OnStarting() and making headers unmodifiable.
Sends the requested file in the response body. A response may include multiple writes.
The full disk path to the file.
The offset in the file to start at.
The number of bytes to send, or null to send the remainder of the file.
A used to abort the transmission.
Flush any remaining response headers, data, or trailers.
This may throw if the response is in an invalid state such as a Content-Length mismatch.
Represents the fields and state of an HTTP response.
Gets or sets the status-code as defined in RFC 7230.
Defaults to 200.
Gets or sets the reason-phrase as defined in RFC 7230. Note this field is no longer supported by HTTP/2.
Gets or sets the response headers to send. Headers with multiple values will be emitted as multiple headers.
Gets or sets the for writing the response body.
Gets a value that indicates if the response has started.
If , the ,
, and are now immutable, and
should no longer be called.
Registers a callback to be invoked just before the response starts.
This is the last chance to modify the , , or
.
The callback to invoke when starting the response.
The state to pass into the callback.
Registers a callback to be invoked after a response has fully completed. This is
intended for resource cleanup.
The callback to invoke after the response has completed.
The state to pass into the callback.
Provides access to response trailers.
Response trailers allow for additional headers to be sent at the end of an HTTP/1.1 (chunked) or HTTP/2 response.
For more details, see RFC7230.
Gets or sets the trailer headers.
Configures response compression behavior for HTTPS on a per-request basis.
The to use.
Provides access to server upgrade features.
Indicates if the server can upgrade this request to an opaque, bidirectional stream.
Attempt to upgrade the request to an opaque, bidirectional stream. The response status code
and headers need to be set before this is invoked. Check
before invoking.
Provides access to server websocket features.
Indicates if this is a WebSocket upgrade request.
Attempts to upgrade the request to a . Check
before invoking this.
The .
A .
API for accepting and retrieving WebTransport sessions.
Indicates if this request is a WebTransport request.
Accept the session request and allow streams to start being used.
The cancellation token to cancel waiting for the session.
An instance of a WebTransportSession which will be used to control the connection.
Provides a key/value collection that can be used to share data within the scope of this request.
Gets or sets a a key/value collection that can be used to share data within the scope of this request.
Provides access to the associated with the HTTP request.
Gets or sets the .
Represents the HTTP request body as a .
Gets a representing the request body, if any.
Provides access to request cookie collection.
Gets or sets the request cookies.
A helper for creating the response Set-Cookie header.
Gets the wrapper for the response Set-Cookie header.
This feature provides access to request server variables set.
Gets or sets the value of a server variable for the current request.
The variable name
May return null or empty if the variable does not exist or is not set.
Provides acccess to the request-scoped .
Gets or sets the scoped to the current request.
Provides access to the for the current request.
The for the current request.
Provides access to TLS features associated with the current HTTP connection.
Synchronously retrieves the client certificate, if any.
Asynchronously retrieves the client certificate, if any.
Provides information regarding TLS token binding parameters.
TLS token bindings help mitigate the risk of impersonation by an attacker in the
event an authenticated client's bearer tokens are somehow exfiltrated from the
client's machine. See
for more information.
Gets the 'provided' token binding identifier associated with the request.
The token binding identifier, or null if the client did not
supply a 'provided' token binding or valid proof of possession of the
associated private key. The caller should treat this identifier as an
opaque blob and should not try to parse it.
Gets the 'referred' token binding identifier associated with the request.
The token binding identifier, or null if the client did not
supply a 'referred' token binding or valid proof of possession of the
associated private key. The caller should treat this identifier as an
opaque blob and should not try to parse it.
Used to query, grant, and withdraw user consent regarding the storage of user
information related to site activity and functionality.
Indicates if consent is required for the given request.
Indicates if consent was given.
Indicates either if consent has been given or if consent is not required.
Grants consent for this request. If the response has not yet started then
this will also grant consent for future requests.
Withdraws consent for this request. If the response has not yet started then
this will also withdraw consent for future requests.
Creates a consent cookie for use when granting consent from a javascript client.
Controls the session and streams of a WebTransport session.
The id of the WebTransport session.
Abruptly close the WebTransport session and stop all the streams.
HTTP error code that corresponds to the reason for causing the abort.
Error codes are described here: https://www.rfc-editor.org/rfc/rfc9114.html#name-http-3-error-codes
Returns the next incoming stream in the order the server received it. The stream can be either bidirectional or unidirectional.
To use WebTransport, you must first enable the Microsoft.AspNetCore.Server.Kestrel.Experimental.WebTransportAndH3Datagrams AppContextSwitch
The cancellation token used to cancel the operation.
The unidirectional or bidirectional stream that is next in the queue, or null if the session has ended.
Opens a new unidirectional output stream.
The cancellation token used to cancel the operation.
The unidirectional stream that was opened.
Options used to create a new cookie.
Creates a default cookie with a path of '/'.
Creates a copy of the given .
Gets or sets the domain to associate the cookie with.
The domain to associate the cookie with.
Gets or sets the cookie path.
The cookie path.
Gets or sets the expiration date and time for the cookie.
The expiration date and time for the cookie.
Gets or sets a value that indicates whether to transmit the cookie using Secure Sockets Layer (SSL)--that is, over HTTPS only.
true to transmit the cookie only over an SSL connection (HTTPS); otherwise, false.
Gets or sets the value for the SameSite attribute of the cookie. The default value is
The representing the enforcement mode of the cookie.
Gets or sets a value that indicates whether a cookie is inaccessible by client-side script.
true if a cookie must not be accessible by client-side script; otherwise, false.
Gets or sets the max-age for the cookie.
The max-age date and time for the cookie.
Indicates if this cookie is essential for the application to function correctly. If true then
consent policy checks may be bypassed. The default value is false.
Gets a collection of additional values to append to the cookie.
Creates a using the current options.
Represents the parsed form values sent with the HttpRequest.
Gets the number of elements contained in the .
The number of elements contained in the .
Gets an containing the keys of the
.
An containing the keys of the object
that implements .
Determines whether the contains an element
with the specified key.
The key to locate in the .
true if the contains an element with
the key; otherwise, false.
key is null.
Gets the value associated with the specified key.
The key of the value to get.
The key of the value to get.
When this method returns, the value associated with the specified key, if the
key is found; otherwise, the default value for the type of the value parameter.
This parameter is passed uninitialized.
true if the object that implements contains
an element with the specified key; otherwise, false.
key is null.
Gets the value with the specified key.
The key of the value to get.
The element with the specified key, or StringValues.Empty if the key is not present.
key is null.
incorrect content-type.
has a different indexer contract than
, as it will return StringValues.Empty for missing entries
rather than throwing an Exception.
This indexer can only be used on POST requests. Otherwise an exception of type
is thrown.
Invoking this property could result in thread exhaustion since it's wrapping an asynchronous implementation.
The HttpRequest.ReadFormAsync(CancellationToken) method can get the form without blocking.
For more information, see .
The file collection sent with the request.
The files included with the request.
Represents a file sent with the HttpRequest.
Gets the raw Content-Type header of the uploaded file.
Gets the raw Content-Disposition header of the uploaded file.
Gets the header dictionary of the uploaded file.
Gets the file length in bytes.
Gets the form field name from the Content-Disposition header.
Gets the file name from the Content-Disposition header.
Opens the request stream for reading the uploaded file.
Copies the contents of the uploaded file to the stream.
The stream to copy the file contents to.
Asynchronously copies the contents of the uploaded file to the stream.
The stream to copy the file contents to.
Represents the collection of files sent with the HttpRequest.
Gets the first file with the specified name.
The name of the file to get.
The requested file, or null if it is not present.
Gets the first file with the specified name.
The name of the file to get.
The requested file, or null if it is not present.
Gets an containing the files of the
with the specified name.
The name of the files to get.
An containing the files of the object
that implements .
Represents HttpRequest and HttpResponse headers
IHeaderDictionary has a different indexer contract than IDictionary, where it will return StringValues.Empty for missing entries.
The stored value, or StringValues.Empty if the key is not present.
Strongly typed access to the Content-Length header. Implementations must keep this in sync with the string representation.
Gets or sets the Accept HTTP header.
Gets or sets the Accept-Charset HTTP header.
Gets or sets the Accept-Encoding HTTP header.
Gets or sets the Accept-Language HTTP header.
Gets or sets the Accept-Ranges HTTP header.
Gets or sets the Access-Control-Allow-Credentials HTTP header.
Gets or sets the Access-Control-Allow-Headers HTTP header.
Gets or sets the Access-Control-Allow-Methods HTTP header.
Gets or sets the Access-Control-Allow-Origin HTTP header.
Gets or sets the Access-Control-Expose-Headers HTTP header.
Gets or sets the Access-Control-Max-Age HTTP header.
Gets or sets the Access-Control-Request-Headers HTTP header.
Gets or sets the Access-Control-Request-Method HTTP header.
Gets or sets the Age HTTP header.
Gets or sets the Allow HTTP header.
Gets or sets the Alt-Svc HTTP header.
Gets or sets the Authorization HTTP header.
Gets or sets the baggage HTTP header.
Gets or sets the Cache-Control HTTP header.
Gets or sets the Connection HTTP header.
Gets or sets the Content-Disposition HTTP header.
Gets or sets the Content-Encoding HTTP header.
Gets or sets the Content-Language HTTP header.
Gets or sets the Content-Location HTTP header.
Gets or sets the Content-MD5 HTTP header.
Gets or sets the Content-Range HTTP header.
Gets or sets the Content-Security-Policy HTTP header.
Gets or sets the Content-Security-Policy-Report-Only HTTP header.
Gets or sets the Content-Type HTTP header.
Gets or sets the Correlation-Context HTTP header.
Gets or sets the Cookie HTTP header.
Gets or sets the Date HTTP header.
Gets or sets the ETag HTTP header.
Gets or sets the Expires HTTP header.
Gets or sets the Expect HTTP header.
Gets or sets the From HTTP header.
Gets or sets the Grpc-Accept-Encoding HTTP header.
Gets or sets the Grpc-Encoding HTTP header.
Gets or sets the Grpc-Message HTTP header.
Gets or sets the Grpc-Status HTTP header.
Gets or sets the Grpc-Timeout HTTP header.
Gets or sets the Host HTTP header.
Gets or sets the Keep-Alive HTTP header.
Gets or sets the If-Match HTTP header.
Gets or sets the If-Modified-Since HTTP header.
Gets or sets the If-None-Match HTTP header.
Gets or sets the If-Range HTTP header.
Gets or sets the If-Unmodified-Since HTTP header.
Gets or sets the Last-Modified HTTP header.
Gets or sets the Link HTTP header.
Gets or sets the Location HTTP header.
Gets or sets the Max-Forwards HTTP header.
Gets or sets the Origin HTTP header.
Gets or sets the Pragma HTTP header.
Gets or sets the Proxy-Authenticate HTTP header.
Gets or sets the Proxy-Authorization HTTP header.
Gets or sets the Proxy-Connection HTTP header.
Gets or sets the Range HTTP header.
Gets or sets the Referer HTTP header.
Gets or sets the Retry-After HTTP header.
Gets or sets the Request-Id HTTP header.
Gets or sets the Sec-WebSocket-Accept HTTP header.
Gets or sets the Sec-WebSocket-Key HTTP header.
Gets or sets the Sec-WebSocket-Protocol HTTP header.
Gets or sets the Sec-WebSocket-Version HTTP header.
Gets or sets the Sec-WebSocket-Extensions HTTP header.
Gets or sets the Server HTTP header.
Gets or sets the Set-Cookie HTTP header.
Gets or sets the Strict-Transport-Security HTTP header.
Gets or sets the TE HTTP header.
Gets or sets the Trailer HTTP header.
Gets or sets the Transfer-Encoding HTTP header.
Gets or sets the Translate HTTP header.
Gets or sets the traceparent HTTP header.
Gets or sets the tracestate HTTP header.
Gets or sets the Upgrade HTTP header.
Gets or sets the Upgrade-Insecure-Requests HTTP header.
Gets or sets the User-Agent HTTP header.
Gets or sets the Vary HTTP header.
Gets or sets the Via HTTP header.
Gets or sets the Warning HTTP header.
Gets or sets the Sec-WebSocket-Protocol HTTP header.
Gets or sets the WWW-Authenticate HTTP header.
Gets or sets the X-Content-Type-Options HTTP header.
Gets or sets the X-Frame-Options HTTP header.
Gets or sets the X-Powered-By HTTP header.
Gets or sets the X-Requested-With HTTP header.
Gets or sets the X-UA-Compatible HTTP header.
Gets or sets the X-XSS-Protection HTTP header.
Represents the HttpRequest query string collection
Gets the number of elements contained in the .
The number of elements contained in the .
Gets an containing the keys of the
.
An containing the keys of the object
that implements .
Determines whether the contains an element
with the specified key.
The key to locate in the .
true if the contains an element with
the key; otherwise, false.
key is null.
Gets the value associated with the specified key.
The key of the value to get.
The key of the value to get.
When this method returns, the value associated with the specified key, if the
key is found; otherwise, the default value for the type of the value parameter.
This parameter is passed uninitialized.
true if the object that implements contains
an element with the specified key; otherwise, false.
key is null.
Gets the value with the specified key.
The key of the value to get.
The element with the specified key, or StringValues.Empty if the key is not present.
key is null.
has a different indexer contract than
, as it will return StringValues.Empty for missing entries
rather than throwing an Exception.
Represents the HttpRequest cookie collection
Gets the number of elements contained in the .
The number of elements contained in the .
Gets an containing the keys of the
.
An containing the keys of the object
that implements .
Determines whether the contains an element
with the specified key.
The key to locate in the .
true if the contains an element with
the key; otherwise, false.
key is null.
Gets the value associated with the specified key.
The key of the value to get.
The key of the value to get.
When this method returns, the value associated with the specified key, if the
key is found; otherwise, the default value for the type of the value parameter.
This parameter is passed uninitialized.
true if the object that implements contains
an element with the specified key; otherwise, false.
key is null.
Gets the value with the specified key.
The key of the value to get.
The element with the specified key, or null if the key is not present.
key is null.
has a different indexer contract than
, as it will return null for missing entries
rather than throwing an Exception.
A wrapper for the response Set-Cookie header.
Add a new cookie and value.
Name of the new cookie.
Value of the new cookie.
Add a new cookie.
Name of the new cookie.
Value of the new cookie.
included in the new cookie setting.
Add elements of specified collection as cookies.
Key value pair collections whose elements will be added as cookies.
included in new cookie settings.
Sets an expired cookie.
Name of the cookie to expire.
Sets an expired cookie.
Name of the cookie to expire.
used to discriminate the particular cookie to expire. The
and values are especially important.
Stores user data while the user browses a web application. Session state uses a store maintained by the application
to persist data across requests from a client. The session data is backed by a cache and considered ephemeral data.
Indicates whether the current session loaded successfully. Accessing this property before the session is loaded will cause it to be loaded inline.
A unique identifier for the current session. This is not the same as the session cookie
since the cookie lifetime may not be the same as the session entry lifetime in the data store.
Enumerates all the keys, if any.
Load the session from the data store. This may throw if the data store is unavailable.
Store the session in the data store. This may throw if the data store is unavailable.
Retrieve the value of the given key, if present.
The retrieved value.
Set the given key and value in the current session. This will throw if the session
was not established prior to sending the response.
Remove the given key from the session if present.
Remove all entries from the current session, if any.
The session cookie is not removed.
Used to set the SameSite field on response cookies to indicate if those cookies should be included by the client on future "same-site" or "cross-site" requests.
RFC Draft:
No SameSite field will be set, the client should follow its default cookie policy.
Indicates the client should disable same-site restrictions.
Indicates the client should send the cookie with "same-site" requests, and with "cross-site" top-level navigations.
Indicates the client should only send the cookie with "same-site" requests.
A context for negotiating a websocket upgrade.
Gets or sets the subprotocol being negotiated.
The interval to send pong frames. This is a heart-beat that keeps the connection alive.
Enables support for the 'permessage-deflate' WebSocket extension.
Be aware that enabling compression over encrypted connections makes the application subject to CRIME/BREACH type attacks.
It is strongly advised to turn off compression when sending data containing secrets by
specifying when sending such messages.
Disables server context takeover when using compression.
This setting reduces the memory overhead of compression at the cost of a potentially worse compression ratio.
This property does nothing when is false,
or when the client does not use compression.
false
Sets the maximum base-2 logarithm of the LZ77 sliding window size that can be used for compression.
This setting reduces the memory overhead of compression at the cost of a potentially worse compression ratio.
This property does nothing when is false,
or when the client does not use compression.
Valid values are 9 through 15.
15
Used to set the result of anti-forgery token validation.
Gets a value that determines if the anti-forgery token on the request is valid.
Gets the that occurred when validating the anti-forgery token.