Skip to content

fix(@angular/ssr): support '*' in allowedHosts and warn about security risks#32827

Merged
alan-agius4 merged 2 commits intoangular:mainfrom
alan-agius4:allowed-host-star
Mar 25, 2026
Merged

fix(@angular/ssr): support '*' in allowedHosts and warn about security risks#32827
alan-agius4 merged 2 commits intoangular:mainfrom
alan-agius4:allowed-host-star

Conversation

@alan-agius4
Copy link
Collaborator

@alan-agius4 alan-agius4 commented Mar 24, 2026
edited by dgp1130
Loading

This commit adds support for '*' in allowedHosts for SSR, allowing any host to be validated. It also adds a security warning when '*' is used to inform users of the potential risks of allowing all host headers.

Additionally, it enables '*' for the Vite dev server when 'allowedHosts' is set to 'true'.

Closes #32729

@alan-agius4 alan-agius4 requested a review from dgp1130 March 24, 2026 13:14
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: patch This PR is targeted for the next patch release labels Mar 24, 2026
gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 24, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly implements support for * in allowedHosts for SSR, including a necessary security warning when this feature is used. The changes are logical, and the new functionality is well-tested.

dgp1130
dgp1130 approved these changes Mar 24, 2026
View reviewed changes
packages/angular/ssr/src/app-engine.ts Outdated
// eslint-disable-next-line no-console
console.warn(
'Allowing all hosts via "*" is a security risk. This configuration should only be used when ' +
'validation for "Host" and "X-Forwarded-Host" headers is performed in another layer.',
Copy link
Collaborator

@dgp1130 dgp1130 Mar 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider: Can we expand on "another layer"? That feels vague enough that some devs might not understand what it means. Maybe say something about the production serving environment or cloud middleware / CDN / gateway handling this?

Also, should we include a link to some documentation in adev to 1) make clear that this is an Angular error, 2) draw a direct reference to the allowedHosts property, and 3) expand on the broader context of the problem this is catching (ie. why we have allowedHosts in the first place, what we mean by "hosts", etc.)?

Copy link
Collaborator Author

@alan-agius4 alan-agius4 Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

packages/angular/ssr/src/utils/validation.ts
@@ -224,7 +224,7 @@ function verifyHostAllowed(
* @returns `true` if the hostname is allowed, `false` otherwise.
*/
function isHostAllowed(hostname: string, allowedHosts: ReadonlySet<string>): boolean {
Copy link
Collaborator

@dgp1130 dgp1130 Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: Do we care about the case of allowedHosts = new Set(['*', 'example.test'])? Should we warn / error for extra hosts which will no-op or is it fine to just silently ignore this case?

Copy link
Collaborator Author

@alan-agius4 alan-agius4 Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fine to ignore this case and just warn about *

@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Mar 25, 2026
@alan-agius4
fix(@angular/ssr): support '*' in allowedHosts and warn about securit…
835c471 
…y risks

This commit adds support for '*' in allowedHosts for SSR, allowing any host to be validated. It also adds a security warning when '*' is used to inform users of the potential risks of allowing all host headers.

Additionally, it enables '*' for the Vite dev server when 'allowedHosts' is set to 'true'.

Closes angular#32729
@alan-agius4
fixup! fix(@angular/ssr): support '*' in allowedHosts and warn about …
a4deca2 
…security risks
@alan-agius4 alan-agius4 merged commit 3b99ee1 into angular:main Mar 25, 2026
35 checks passed
@alan-agius4 alan-agius4 deleted the allowed-host-star branch March 25, 2026 08:36
@alan-agius4
Copy link
Collaborator Author

alan-agius4 commented Mar 25, 2026

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgp1130 dgp1130 dgp1130 approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: @angular/ssr target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(@angular/ssr): strict host header validation breaks multi-tenant apps

2 participants

@alan-agius4 @dgp1130