---
title: Enable Encrypted Client Hello (ECH)
impact: HIGH
impactDescription: protects privacy of connection metadata
tags: tls, ech, privacy, encryption, security, csharp
---

## Enable Encrypted Client Hello (ECH)

ECH encrypts the initial TLS handshake (SNI) to prevent ISPs from seeing which domain you are connecting to.

**Status:**
- Support in .NET is dependent on the underlying OS (OpenSSL 3+ on Linux, Windows 11+).
- Requires DNS configuration (HTTPS records).

**Implementation:**

```csharp
// Kestrel configuration (mostly transparent if OS supports it)
// Ensure you are using HTTP/3 (QUIC) and latest TLS
webBuilder.ConfigureKestrel(options =>
{
    options.ListenAnyIP(443, listenOptions =>
    {
        listenOptions.UseHttps();
        listenOptions.Protocols = HttpProtocols.Http1AndHttp2AndHttp3;
    });
});
```

**Checklist:**
- [ ] Configure DNS HTTPS records
- [ ] Use Cloudflare or ECH-enabled CDN
- [ ] Ensure underlying OS supports ECH

**Tools:** SSL Labs, Wireshark