angular

mirror of https://github.com/angular/angular synced 2026-05-24 09:28:37 +00:00

History

Alan Agius 60552a73e8 fix(platform-server): add `allowedHosts` option to `renderModule` and `renderApplication` In server-side rendering (SSR) setups, passing request URLs directly to the lower-level rendering APIs `renderModule` or `renderApplication` can expose applications to Server-Side Request Forgery (SSRF) or Host Header Injection attacks via absolute-form request URLs. To mitigate these vulnerabilities at the framework layer, this commit introduces the `allowedHosts` option to `PlatformConfig` (supporting exact hostnames, wildcards like `.example.com`, or `` to allow all). During platform initialization inside `createServerPlatform`, the hostname of the request `url` is validated against the `allowedHosts` list. If the hostname is not authorized, bootstrap immediately throws a host validation error, preventing unauthorized rendering and silent SSRF bypasses. Closes #68436	2026-05-07 16:30:03 -06:00
..
ngmodule	fix(platform-server): add `allowedHosts` option to `renderModule` and `renderApplication`	2026-05-07 16:30:03 -06:00
standalone	fix(platform-server): add `allowedHosts` option to `renderModule` and `renderApplication`	2026-05-07 16:30:03 -06:00

Alan Agius 60552a73e8 fix(platform-server): add allowedHosts option to renderModule and renderApplication

In server-side rendering (SSR) setups, passing request URLs directly to the lower-level rendering APIs `renderModule` or `renderApplication` can expose applications to Server-Side Request Forgery (SSRF) or Host Header Injection attacks via absolute-form request URLs.
To mitigate these vulnerabilities at the framework layer, this commit introduces the `allowedHosts` option to `PlatformConfig` (supporting exact hostnames, wildcards like `*.example.com`, or `*` to allow all).

During platform initialization inside `createServerPlatform`, the hostname of the request `url` is validated against the `allowedHosts` list. If the hostname is not authorized, bootstrap immediately throws a host validation error, preventing unauthorized rendering and silent SSRF bypasses.

Closes #68436

2026-05-07 16:30:03 -06:00

ngmodule fix(platform-server): add allowedHosts option to renderModule and renderApplication 2026-05-07 16:30:03 -06:00

standalone fix(platform-server): add allowedHosts option to renderModule and renderApplication 2026-05-07 16:30:03 -06:00