Add optional feature to reject requests without IIS token

[blowdart]

This would prevent requests on the same machine bypassing auth/path authorization provided by IIS.

Should default to false though.

[Tratcher]

Why default to false? Is there a mainstream scenario where you wouldn't want it on?

[Tratcher]

Offline dicussion: On by default, no option to turn it off. The middleware is only added to the pipeline if the AspNetCoreModule environment variables are detected at startup, so enabling this will not affect self-host scenarios.

[kevinchalet]

Why not providing an option to disable this feature? What happens if I want to host my app in various environments? (e.g behind IIS on a Windows machine, behind nginx on a Linux-based machine).

---

Wooops, forget that, as mentioned, the integration middleware is only added if the ANCM environment variables are injected in the app process, so it shouldn't be a problem 😄