angular/goldens
Alan Agius 629905d537 fix(platform-server): add allowedHosts option to renderModule and renderApplication
In server-side rendering (SSR) setups, passing request URLs directly to the lower-level rendering APIs `renderModule` or `renderApplication` can expose applications to Server-Side Request Forgery (SSRF) or Host Header Injection attacks via absolute-form request URLs.
To mitigate these vulnerabilities at the framework layer, this commit introduces the `allowedHosts` option to `PlatformConfig` (supporting exact hostnames, wildcards like `*.example.com`, or `*` to allow all).

During platform initialization inside `createServerPlatform`, the hostname of the request `url` is validated against the `allowedHosts` list. If the hostname is not authorized, bootstrap immediately throws a host validation error, preventing unauthorized rendering and silent SSRF bypasses.

Closes #68436

(cherry picked from commit 60552a73e8)
2026-05-07 15:30:07 -07:00
..
public-api fix(platform-server): add allowedHosts option to renderModule and renderApplication 2026-05-07 15:30:07 -07:00
vscode-extension feat(language-service): add JSON schema for angularCompilerOptions 2026-01-30 14:20:25 -08:00
BUILD.bazel build: rename defaults2.bzl to defaults.bzl (#63383) 2025-08-25 15:45:01 -07:00
README.md build: format md files 2025-11-06 10:03:05 -08:00

public-api/

This directory contains all of the public api goldens for our npm packages we publish to NPM. These are tested on all PRs and commits as part of our bazel tests.

To check or update the public api goldens, run one of the following commands:

pnpm public-api:check
pnpm public-api:update