From 16c1b2da9bcb2b78364377095c364f1ce4e92566 Mon Sep 17 00:00:00 2001 From: shamoon <4887959+shamoon@users.noreply.github.com> Date: Sat, 15 Mar 2025 07:14:41 -0700 Subject: [PATCH] Enhancement: allow disabling host header checking (#4967) --- docs/installation/index.md | 6 +++++- src/middleware.js | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/installation/index.md b/docs/installation/index.md index dd8c18f3..38fb30ea 100644 --- a/docs/installation/index.md +++ b/docs/installation/index.md @@ -29,4 +29,8 @@ You have a few options for deploying homepage, depending on your needs. We offer ### `HOMEPAGE_ALLOWED_HOSTS` -As of v1.0 there is one required environment variable when deploying via a public URL, <code>HOMEPAGE_ALLOWED_HOSTS</code>. This is a comma separated (no spaces) list of allowed hosts (sometimes with the port) that can access your homepage. See the [docker](docker.md) and [source](source.md) installation pages for examples. +As of v1.0 there is one required environment variable when deploying via a public URL, <code>HOMEPAGE_ALLOWED_HOSTS</code>. This is a comma separated (no spaces) list of allowed hosts (sometimes with the port) that can access your homepage. See the [docker](docker.md) and [source](source.md) installation pages for more information. + +`localhost:3000` and the loopback address `127.0.0.1:3000` are always allowed, but you can add a domain or IP address to this list to allow access from that host such as `HOMEPAGE_ALLOWED_HOSTS=gethomepage.io:1234,gethomepage.dev`, etc. + +This can be disabled by setting `HOMEPAGE_ALLOWED_HOSTS` to `*` but this is not recommended. diff --git a/src/middleware.js b/src/middleware.js index 853a0094..a2b24f4a 100644 --- a/src/middleware.js +++ b/src/middleware.js @@ -4,11 +4,11 @@ export function middleware(req) { // Check the Host header, if HOMEPAGE_ALLOWED_HOSTS is set const host = req.headers.get("host"); const port = process.env.PORT || 3000; - let allowedHosts = [`localhost:${port}`, `127.0.0.1:${port}`]; + const allowAll = process.env.HOMEPAGE_ALLOWED_HOSTS === "*"; if (process.env.HOMEPAGE_ALLOWED_HOSTS) { allowedHosts = allowedHosts.concat(process.env.HOMEPAGE_ALLOWED_HOSTS.split(",")); } - if (!host || !allowedHosts.includes(host)) { + if (!allowAll && (!host || !allowedHosts.includes(host))) { // eslint-disable-next-line no-console console.error( `Host validation failed for: ${host}. Hint: Set the HOMEPAGE_ALLOWED_HOSTS environment variable to allow requests from this host / port.`,