Update middleware.js

Security: support host header validation
2025-01-27 16:01:44 -08:00 · 2025-01-27 15:02:27 -08:00
1 changed files with 18 additions and 0 deletions
--- a/src/middleware.js
+++ b/src/middleware.js
@ -0,0 +1,18 @@
+import { NextResponse } from "next/server";
+
+export function middleware(req) {
+  // Check the Host header, if HOMEPAGE_ALLOWED_HOSTS is set
+  const host = req.headers.get("host");
+  const allowedHosts = process.env.HOMEPAGE_ALLOWED_HOSTS
+    ? process.env.HOMEPAGE_ALLOWED_HOSTS.split(",").concat(["localhost:3000"])
+    : [];
+  console.log("Host: ", host, "Allowed Hosts: ", allowedHosts);
+  if (allowedHosts.length && !(host || allowedHosts.includes(host))) {
+    return new NextResponse("Invalid Host header", { status: 400 });
+  }
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: "/api/:path*",
+};
Author	SHA1	Message	Date
shamoon	eeda1563fd	Update middleware.js	2025-01-27 16:01:44 -08:00
shamoon	ee7be33fa1	Security: support host header validation	2025-01-27 15:02:27 -08:00