Add IP Allowlist Support for DebugProbe Endpoints
Description
DebugProbe currently exposes its endpoints to any client that can reach the application.
While some applications may already protect DebugProbe through authentication, reverse proxies, VPNs, or network-level restrictions, there is currently no built-in way to restrict access based on client IP addresses.
DebugProbe should provide an optional IP allowlist that limits access to DebugProbe endpoints.
Current Behavior
DebugProbe endpoints are accessible to any client that can reach the application unless additional restrictions are implemented externally.
There is currently no built-in IP-based access control.
Expected Behavior
Users should be able to configure an allowlist of IP addresses that are permitted to access DebugProbe endpoints.
Example:
builder.Services.AddDebugProbe(options =>
{
options.AllowedIPs =
[
"127.0.0.1",
"::1",
"10.0.0.15"
];
});Default behavior:
When AllowedIPs is empty or not configured:
- no IP restriction is applied
- existing behavior is preserved
When AllowedIPs contains one or more values:
- only requests originating from configured IP addresses may access DebugProbe endpoints
- requests from non-allowed IP addresses should be rejected
This feature should be optional and disabled by default to preserve backward compatibility.
Result
After this change:
- DebugProbe endpoints can be restricted to trusted IP addresses
- local-only, office-only, VPN-only, and internal network scenarios become easier to configure
- users gain an additional layer of protection without requiring authentication
- existing applications continue to work without modification
- DebugProbe becomes easier to adopt in environments with network-based access controls
Documentation Updates
After implementation, the following documentation should be updated:
- README Optional Configuration section
- Security Defaults section
Examples should demonstrate how to restrict DebugProbe endpoint access using an IP allowlist.
Add IP Allowlist Support for DebugProbe Endpoints
Description
DebugProbe currently exposes its endpoints to any client that can reach the application.
While some applications may already protect DebugProbe through authentication, reverse proxies, VPNs, or network-level restrictions, there is currently no built-in way to restrict access based on client IP addresses.
DebugProbe should provide an optional IP allowlist that limits access to DebugProbe endpoints.
Current Behavior
DebugProbe endpoints are accessible to any client that can reach the application unless additional restrictions are implemented externally.
There is currently no built-in IP-based access control.
Expected Behavior
Users should be able to configure an allowlist of IP addresses that are permitted to access DebugProbe endpoints.
Example:
Default behavior:
When
AllowedIPsis empty or not configured:When
AllowedIPscontains one or more values:This feature should be optional and disabled by default to preserve backward compatibility.
Result
After this change:
Documentation Updates
After implementation, the following documentation should be updated:
Examples should demonstrate how to restrict DebugProbe endpoint access using an IP allowlist.