From 16c1b2da9bcb2b78364377095c364f1ce4e92566 Mon Sep 17 00:00:00 2001
From: shamoon <4887959+shamoon@users.noreply.github.com>
Date: Sat, 15 Mar 2025 07:14:41 -0700
Subject: [PATCH] Enhancement: allow disabling host header checking (#4967)

---
 docs/installation/index.md | 6 +++++-
 src/middleware.js          | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/docs/installation/index.md b/docs/installation/index.md
index dd8c18f3..38fb30ea 100644
--- a/docs/installation/index.md
+++ b/docs/installation/index.md
@@ -29,4 +29,8 @@ You have a few options for deploying homepage, depending on your needs. We offer
 
 ### `HOMEPAGE_ALLOWED_HOSTS`
 
-As of v1.0 there is one required environment variable when deploying via a public URL, <code>HOMEPAGE_ALLOWED_HOSTS</code>. This is a comma separated (no spaces) list of allowed hosts (sometimes with the port) that can access your homepage. See the [docker](docker.md) and [source](source.md) installation pages for examples.
+As of v1.0 there is one required environment variable when deploying via a public URL, <code>HOMEPAGE_ALLOWED_HOSTS</code>. This is a comma separated (no spaces) list of allowed hosts (sometimes with the port) that can access your homepage. See the [docker](docker.md) and [source](source.md) installation pages for more information.
+
+`localhost:3000` and the loopback address `127.0.0.1:3000` are always allowed, but you can add a domain or IP address to this list to allow access from that host such as `HOMEPAGE_ALLOWED_HOSTS=gethomepage.io:1234,gethomepage.dev`, etc.
+
+This can be disabled by setting `HOMEPAGE_ALLOWED_HOSTS` to `*` but this is not recommended.
diff --git a/src/middleware.js b/src/middleware.js
index 853a0094..a2b24f4a 100644
--- a/src/middleware.js
+++ b/src/middleware.js
@@ -4,11 +4,11 @@ export function middleware(req) {
   // Check the Host header, if HOMEPAGE_ALLOWED_HOSTS is set
   const host = req.headers.get("host");
   const port = process.env.PORT || 3000;
-  let allowedHosts = [`localhost:${port}`, `127.0.0.1:${port}`];
+  const allowAll = process.env.HOMEPAGE_ALLOWED_HOSTS === "*";
   if (process.env.HOMEPAGE_ALLOWED_HOSTS) {
     allowedHosts = allowedHosts.concat(process.env.HOMEPAGE_ALLOWED_HOSTS.split(","));
   }
-  if (!host || !allowedHosts.includes(host)) {
+  if (!allowAll && (!host || !allowedHosts.includes(host))) {
     // eslint-disable-next-line no-console
     console.error(
       `Host validation failed for: ${host}. Hint: Set the HOMEPAGE_ALLOWED_HOSTS environment variable to allow requests from this host / port.`,