docs: update security warnings around server.cors and server.allowedHosts
#19378
+18
−5
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: "Dominik G." <dominik.goepel@gmx.de>
sapphi-red
commented
Feb 7, 2025
docs/config/server-options.md
Outdated
Comment on lines
185
to
189
| ::: danger | ||
|
|
||
| We recommend setting a specific value rather than `true` to avoid exposing the source code to untrusted origins. | ||
| Setting this to `true` grants any websites to send requests to your dev server, allowing them to download your source code and content. We recommend always using an explicit list of allowed origins. | ||
|
|
||
| ::: |
There was a problem hiding this comment.
@dominikg I updated the warning here based on your suggestion 👍
docs/config/server-options.md
Outdated
Comment on lines
66
to
70
| ::: danger | ||
|
|
||
| Setting this to `true` virtually grants any websites to send requests to your dev server by DNS rebinding attacks, allowing them to download your source code and content. We recommend always using an explicit list of allowed hosts. See [GHSA-vg6x-rcgg-rjx6](https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6) for more details. | ||
|
|
||
| ::: |
There was a problem hiding this comment.
Added a similar warning to server.cors for server.allowedHosts as well. Technically, it is safe to set server.allowedHosts: true if the dev server runs behind a reverse proxy (the reverse proxy needs to check the host in that case though). But I didn't mention it here as I guess that usage isn't common and setting allowedHosts doesn't hurt.
Comment on lines
+56
to
+64
| ::: details What hosts are safe to be added? | ||
|
|
||
| Hosts that you have control over which IP addresses they resolve to are safe to add to the list of allowed hosts. | ||
|
|
||
| For example, if you own a domain `vite.dev`, you can add `vite.dev` and `.vite.dev` to the list. If you don't own that domain and you cannot trust the owner of that domain, you should not add it. | ||
|
|
||
| Especially, you should never add Top-Level Domains like `.com` to the list. This is because anyone can purchase a domain like `example.com` and control the IP address it resolves to. | ||
|
|
||
| ::: |
There was a problem hiding this comment.
While CORS is a general thing, this allowedHosts is not that general and the users weren't sure what value are safe to be set. I added a explanation here.
patak-dev
reviewed
Feb 7, 2025
patak-dev
reviewed
Feb 7, 2025
Co-authored-by: patak <583075+patak-dev@users.noreply.github.com>
patak-dev
approved these changes
Feb 7, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
refs #19345
refs ddev/ddev.com#313 (review)
refs #19287
refs storybookjs/storybook#30432