[BREAKING] Enhancement: require host validation (#4744)

2026-01-06 23:42:09 +08:00 · 2025-02-11 21:30:00 -08:00
parent 91d5fc8e42
commit 05af70d11b
4 changed files with 47 additions and 2 deletions
--- a/src/middleware.js
+++ b/src/middleware.js
@@ -0,0 +1,23 @@
+import { NextResponse } from "next/server";
+
+export function middleware(req) {
+  // Check the Host header, if HOMEPAGE_ALLOWED_HOSTS is set
+  const host = req.headers.get("host");
+  const port = process.env.PORT || 3000;
+  let allowedHosts = [`localhost:${port}`];
+  if (process.env.HOMEPAGE_ALLOWED_HOSTS) {
+    allowedHosts = allowedHosts.concat(process.env.HOMEPAGE_ALLOWED_HOSTS.split(","));
+  }
+  if (!host || !allowedHosts.includes(host)) {
+    // eslint-disable-next-line no-console
+    console.error(
+      `Host validation failed for: ${host}. Hint: Set HOMEPAGE_ALLOWED_HOSTS to allow requests from this host.`,
+    );
+    return NextResponse.json({ error: "Host validation failed. See logs for more details." }, { status: 400 });
+  }
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: "/api/:path*",
+};