A requirement for my application is that its cookies are served over HTTPS only (Secure attribute). It is also to be hosted behind Azure Application Gateway with TLS termination configured: the client-to-gateway connection is secure, the gateway-to-backend connection is not.
This causes Secure cookies to be refused by the application since its connection is insecure:
The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL.
How can I configure either:
There seem to be no other questions on SO about this specifically for Azure App Gateway, and Microsoft's documentation never mentions anything about cookie security.
The core of my problem is that my .NET 6 application refuses the cookie when sent by the client. It turns out there is a built-in middleware specifically to ensure compatibility with load balancers as described in this article: ForwardedHeaders
The original connection scheme is sent in the header X-Forwarded-Proto and the ForwarderHeaders middleware can use this to internally consider the connection secure.