fixup! fix(@angular/ssr): support '*' in allowedHosts and warn about security risks

alan-agius4 · alan-agius4 · commit a4deca2161a4 · 2026-03-25T07:13:02.000Z
diff --git a/packages/angular/ssr/src/app-engine.ts b/packages/angular/ssr/src/app-engine.ts
@@ -98,7 +98,8 @@ export class AngularAppEngine {
       // eslint-disable-next-line no-console
       console.warn(
         'Allowing all hosts via "*" is a security risk. This configuration should only be used when ' +
-          'validation for "Host" and "X-Forwarded-Host" headers is performed in another layer.',
+          'validation for "Host" and "X-Forwarded-Host" headers is performed in another layer, such as a load balancer or reverse proxy. ' +
+          'For more information see: https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf',
       );
     }
 

Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,8 @@ export class AngularAppEngine {`
`98`	`98`	`// eslint-disable-next-line no-console`
`99`	`99`	`console.warn(`
`100`	`100`	`'Allowing all hosts via "*" is a security risk. This configuration should only be used when ' +`
`101`		`- 'validation for "Host" and "X-Forwarded-Host" headers is performed in another layer.',`
	`101`	`+ 'validation for "Host" and "X-Forwarded-Host" headers is performed in another layer, such as a load balancer or reverse proxy. ' +`
	`102`	`+ 'For more information see: https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf',`
`102`	`103`	`);`
`103`	`104`	`}`
`104`	`105`