// use case
Expose your ASP.NET Core app on a public URL
Kestrel listens on localhost. dotnet run --urls https://localhost:7000 gives you a self-signed cert your phone won't trust. lrok's edge cert is real.
Run the app
$ dotnet runTunnel
$ lrok http 5000Forwarded headers middleware
In Program.cs: app.UseForwardedHeaders(new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.All }). HttpContext.Request.Scheme then reflects lrok's https.
// why lrok for this
ASP.NET's anti-forgery tokens are tied to the request scheme. With real https from lrok, dev cookies pick up the Secure attribute — same as prod.