In server-side rendering (SSR) setups, passing request URLs directly to the lower-level rendering APIs `renderModule` or `renderApplication` can expose applications to Server-Side Request Forgery (SSRF) or Host Header Injection attacks via absolute-form request URLs.
To mitigate these vulnerabilities at the framework layer, this commit introduces the `allowedHosts` option to `PlatformConfig` (supporting exact hostnames, wildcards like `*.example.com`, or `*` to allow all).
During platform initialization inside `createServerPlatform`, the hostname of the request `url` is validated against the `allowedHosts` list. If the hostname is not authorized, bootstrap immediately throws a host validation error, preventing unauthorized rendering and silent SSRF bypasses.
Closes #68436
(cherry picked from commit
|
||
|---|---|---|
| .agent | ||
| .devcontainer | ||
| .gemini | ||
| .github | ||
| .husky | ||
| .ng-dev | ||
| .vscode | ||
| adev | ||
| contributing-docs | ||
| dev-app | ||
| devtools | ||
| goldens | ||
| integration | ||
| modules | ||
| packages | ||
| scripts | ||
| skills/dev-skills | ||
| third_party | ||
| tools | ||
| vscode-ng-language-service | ||
| .bazelrc | ||
| .bazelversion | ||
| .editorconfig | ||
| .git-blame-ignore-revs | ||
| .gitattributes | ||
| .gitignore | ||
| .gitmessage | ||
| .mailmap | ||
| .npmrc | ||
| .nvmrc | ||
| .pnpmfile.cjs | ||
| .prettierignore | ||
| .prettierrc | ||
| .pullapprove.yml | ||
| AGENTS.md | ||
| BUILD.bazel | ||
| CHANGELOG.md | ||
| CHANGELOG_ARCHIVE.md | ||
| CODE_OF_CONDUCT.md | ||
| context7.json | ||
| CONTRIBUTING.md | ||
| gulpfile.js | ||
| LICENSE | ||
| MODULE.bazel | ||
| MODULE.bazel.lock | ||
| package.json | ||
| packages.bzl | ||
| pnpm-lock.yaml | ||
| pnpm-workspace.yaml | ||
| README.md | ||
| renovate.json | ||
| REPO.bazel | ||
| SECURITY.md | ||
| tsconfig-tslint.json | ||
| tslint.json | ||
Angular - The modern web developer's platform
Angular is a development platform for building mobile and desktop web applications
using TypeScript/JavaScript and other languages.
Contributing Guidelines
·
Submit an Issue
·
Blog
Documentation
Get started with Angular, learn the fundamentals and explore advanced topics on our documentation website.
Advanced
Local Development
To contribute to the Angular Docs, check out the Angular.dev README
Development Setup
Prerequisites
- Install Node.js which includes Node Package Manager
Setting Up a Project
Install the Angular CLI globally:
npm install -g @angular/cli
Create a workspace:
ng new [PROJECT NAME]
Run the application:
cd [PROJECT NAME]
ng serve
Angular is cross-platform, fast, scalable, has incredible tooling, and is loved by millions.
Quickstart
Ecosystem
Changelog
Learn about the latest improvements.
Upgrading
Check out our upgrade guide to find out the best way to upgrade your project.
Contributing
Contributing Guidelines
Read through our contributing guidelines to learn about our submission process, coding rules, and more.
Want to Help?
Want to report a bug, contribute some code, or improve the documentation? Excellent! Read up on our guidelines for contributing and then check out one of our issues labeled as help wanted or good first issue.
Code of Conduct
Help us keep Angular open and inclusive. Please read and follow our Code of Conduct.
Community
Join the conversation and help the community.
- X (formerly Twitter)
- Bluesky
- Discord
- YouTube
- StackOverflow
- Find a Local Meetup
Love Angular? Give our repo a star ⭐ ⬆️.