ActionHero now allows you to define a collection of host headers which this API server will allow access from. You can set these via api.config.servers.web.allowedRequestHosts
. If the Host
header of a client does not match one of those listed (protocol counts!), they will be redirected to the first one present.
You can also set process.env.ALLOWED_HOSTS
which will be parsed as a comma-separated list of Hosts which will set api.config.servers.web.allowedRequestHosts
By @evantahler via #973
---
V15.1.5 fixes a bug introduced with v15.1.4 which was improperly detecting client protocols (http
vs https
) when using the new api.config.servers.web.allowedRequestHosts
host restrictions.