mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
In server-side rendering (SSR) setups, passing request URLs directly to the lower-level rendering APIs `renderModule` or `renderApplication` can expose applications to Server-Side Request Forgery (SSRF) or Host Header Injection attacks via absolute-form request URLs.
To mitigate these vulnerabilities at the framework layer, this commit introduces the `allowedHosts` option to `PlatformConfig` (supporting exact hostnames, wildcards like `*.example.com`, or `*` to allow all).
During platform initialization inside `createServerPlatform`, the hostname of the request `url` is validated against the `allowedHosts` list. If the hostname is not authorized, bootstrap immediately throws a host validation error, preventing unauthorized rendering and silent SSRF bypasses.
Closes #68436
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| public-api | ||
| vscode-extension | ||
| BUILD.bazel | ||
| README.md | ||
public-api/
This directory contains all of the public api goldens for our npm packages we publish to NPM. These are tested on all PRs and commits as part of our bazel tests.
To check or update the public api goldens, run one of the following commands:
pnpm public-api:check
pnpm public-api:update