Enhancement: allow disabling host header checking (#4967)

docs/installation/index.md

@@ -29,4 +29,8 @@ You have a few options for deploying homepage, depending on your needs. We offer
 
 ### `HOMEPAGE_ALLOWED_HOSTS`
 
-As of v1.0 there is one required environment variable when deploying via a public URL, <code>HOMEPAGE_ALLOWED_HOSTS</code>. This is a comma separated (no spaces) list of allowed hosts (sometimes with the port) that can access your homepage. See the [docker](docker.md) and [source](source.md) installation pages for examples.
+As of v1.0 there is one required environment variable when deploying via a public URL, <code>HOMEPAGE_ALLOWED_HOSTS</code>. This is a comma separated (no spaces) list of allowed hosts (sometimes with the port) that can access your homepage. See the [docker](docker.md) and [source](source.md) installation pages for more information.
+
+`localhost:3000` and the loopback address `127.0.0.1:3000` are always allowed, but you can add a domain or IP address to this list to allow access from that host such as `HOMEPAGE_ALLOWED_HOSTS=gethomepage.io:1234,gethomepage.dev`, etc.
+
+This can be disabled by setting `HOMEPAGE_ALLOWED_HOSTS` to `*` but this is not recommended.

src/middleware.js

@@ -4,11 +4,11 @@ export function middleware(req) {
   // Check the Host header, if HOMEPAGE_ALLOWED_HOSTS is set
   const host = req.headers.get("host");
   const port = process.env.PORT || 3000;
-  let allowedHosts = [`localhost:${port}`, `127.0.0.1:${port}`];
+  const allowAll = process.env.HOMEPAGE_ALLOWED_HOSTS === "*";
   if (process.env.HOMEPAGE_ALLOWED_HOSTS) {
     allowedHosts = allowedHosts.concat(process.env.HOMEPAGE_ALLOWED_HOSTS.split(","));
   }
-  if (!host || !allowedHosts.includes(host)) {
+  if (!allowAll && (!host || !allowedHosts.includes(host))) {
     // eslint-disable-next-line no-console
     console.error(
       `Host validation failed for: ${host}. Hint: Set the HOMEPAGE_ALLOWED_HOSTS environment variable to allow requests from this host / port.`,