Chris Ross

> * Is the event bad for performance after you rotate certs? > > * After cert rotation, the handler would first populate the `X509ChainPolicy` with outdated certs from `CertificateAuthenticationOptions.CustomTrustStore`,...

Options are already snapshotted at the start of a request here: https://github.com/dotnet/aspnetcore/blob/f8f03ea3764826d009f7ceb9bb91e482ce4a3fa9/src/Security/Authentication/Core/src/AuthenticationHandler.cs#L155 Note a handler's lifetime is per-request. That leaves the question of how to trigger an options reload. This...

This is per spec, HEAD requests do not produce a response body, nor should they close the connection. Using the `--head` option is the correct client usage.

Yes discovery will be harder but I expect it to still be possible via a few different network effects: - Discover users in person or via direct recommendation - Discover...

Who can see it now in the flood?

Users on the Android client were unable to initiate sea mail conversations, they could only be initiated via the web app. Once initiated everything worked normally. That's a topic for...

Over here please: https://github.com/dotnet/aspnetcore FYI, I don't work on AspNetCore anymore.

You're right that this isn't natively supported, but you could add it with custom transforms keyed from config. https://microsoft.github.io/reverse-proxy/articles/transforms.html#extensibility https://github.com/microsoft/reverse-proxy/pull/1923

It was intentional for headers. Empty headers have no semantic meaning and may be dropped by intermediaries. The query situation is a bit different. We assume key-value pairs (?key1=a&key2=b), but...

That's showing that the first request was redirected to `/Account/AccessDeined`, but the second (that followed the redirect) still matched `/Account/AccessDenied` to YARP's catch-all route. This is likely an issue of...