CodexBloom - Programming Q&A Platform

Using IHttpClientFactory in .NET 7 results in Mixed Content Security Warning on HTTPS

πŸ‘€ Views: 62 πŸ’¬ Answers: 1 πŸ“… Created: 2025-06-06
dotnet httpclient https C#

I've looked through the documentation and I'm still confused about I'm facing a mixed content warning in my .NET 7 Web API when using IHttpClientFactory to make outgoing HTTPS requests. The issue arises when I attempt to call an external API over HTTPS, but the response includes HTTP resources, which triggers browser security warnings. I am using the following setup for my HttpClient: ```csharp services.AddHttpClient("ExternalApi", client => { client.BaseAddress = new Uri("https://api.example.com/"); client.Timeout = TimeSpan.FromSeconds(30); }); ``` When I execute the request, I correctly receive a response, but upon inspecting the response, I found that some links in the payload are HTTP instead of HTTPS. For example, I get a JSON response like this: ```json { "data": { "imageUrl": "http://images.example.com/photo.jpg" } } ``` I’ve tried adding a middleware to rewrite these URLs, but it seems that the original response is returned before the middleware has a chance to modify it. Here's my middleware code: ```csharp public class UrlRewriteMiddleware { private readonly RequestDelegate _next; public UrlRewriteMiddleware(RequestDelegate next) { _next = next; } public async Task InvokeAsync(HttpContext context) { await _next(context); if (context.Response.ContentType == "application/json") { context.Response.Body.Position = 0; var reader = new StreamReader(context.Response.Body); var body = await reader.ReadToEndAsync(); body = body.Replace("http://", "https://"); context.Response.Body.Position = 0; await context.Response.WriteAsync(body); } } } ``` This approach doesn’t seem to work effectively, as I still see the original HTTP URLs in my output. I've also checked the API documentation for the external service, and there appears to be no option to configure it to return HTTPS links. Is there a better way to handle this issue, or an alternative approach to ensure that I only get secure URLs in my responses, ideally at the point of making the API call? Any advice would be greatly appreciated.