Skip to content

Commit 5f0203a

Browse files
docs(@angular/ssr): add SSRF security note to createNodeRequestHandler Hono example
1 parent e6e88e2 commit 5f0203a

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

packages/angular/ssr/node/src/handler.ts

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,14 @@ export type NodeRequestHandlerFunction = (
5555
* });
5656
* ```
5757
*
58+
* @remarks
59+
* **Security note:** `createWebRequestFromNodeRequest()` builds the request URL directly from the
60+
* `Host` and `X-Forwarded-*` headers and does not validate them. When integrating with a
61+
* third-party framework as shown above, configure `allowedHosts` (and, if needed,
62+
* `trustProxyHeaders`) via `AngularNodeAppEngine`, or otherwise validate these headers yourself,
63+
* to prevent Server-Side Request Forgery (SSRF). For more information, see
64+
* https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf.
65+
*
5866
* @example
5967
* Usage in a Fastify application:
6068
* ```ts

0 commit comments

Comments
 (0)