diff --git a/docs/installation/index.md b/docs/installation/index.md
index dd8c18f3..38fb30ea 100644
--- a/docs/installation/index.md
+++ b/docs/installation/index.md
@@ -29,4 +29,8 @@ You have a few options for deploying homepage, depending on your needs. We offer
### `HOMEPAGE_ALLOWED_HOSTS`
-As of v1.0 there is one required environment variable when deploying via a public URL, HOMEPAGE_ALLOWED_HOSTS. This is a comma separated (no spaces) list of allowed hosts (sometimes with the port) that can access your homepage. See the [docker](docker.md) and [source](source.md) installation pages for examples.
+As of v1.0 there is one required environment variable when deploying via a public URL, HOMEPAGE_ALLOWED_HOSTS. This is a comma separated (no spaces) list of allowed hosts (sometimes with the port) that can access your homepage. See the [docker](docker.md) and [source](source.md) installation pages for more information.
+
+`localhost:3000` and the loopback address `127.0.0.1:3000` are always allowed, but you can add a domain or IP address to this list to allow access from that host such as `HOMEPAGE_ALLOWED_HOSTS=gethomepage.io:1234,gethomepage.dev`, etc.
+
+This can be disabled by setting `HOMEPAGE_ALLOWED_HOSTS` to `*` but this is not recommended.
diff --git a/src/middleware.js b/src/middleware.js
index 853a0094..a2b24f4a 100644
--- a/src/middleware.js
+++ b/src/middleware.js
@@ -4,11 +4,11 @@ export function middleware(req) {
// Check the Host header, if HOMEPAGE_ALLOWED_HOSTS is set
const host = req.headers.get("host");
const port = process.env.PORT || 3000;
- let allowedHosts = [`localhost:${port}`, `127.0.0.1:${port}`];
+ const allowAll = process.env.HOMEPAGE_ALLOWED_HOSTS === "*";
if (process.env.HOMEPAGE_ALLOWED_HOSTS) {
allowedHosts = allowedHosts.concat(process.env.HOMEPAGE_ALLOWED_HOSTS.split(","));
}
- if (!host || !allowedHosts.includes(host)) {
+ if (!allowAll && (!host || !allowedHosts.includes(host))) {
// eslint-disable-next-line no-console
console.error(
`Host validation failed for: ${host}. Hint: Set the HOMEPAGE_ALLOWED_HOSTS environment variable to allow requests from this host / port.`,