docs(@angular/ssr): add SSRF security note to createNodeRequestHandle…#33370
docs(@angular/ssr): add SSRF security note to createNodeRequestHandle…#33370karthikrajanv2026 wants to merge 1 commit into
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
angular-robot
Bot
added
area: docs
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds a security note to the documentation in 'packages/angular/ssr/node/src/handler.ts' regarding 'createWebRequestFromNodeRequest()'. It warns developers about potential Server-Side Request Forgery (SSRF) vulnerabilities when using unvalidated 'Host' and 'X-Forwarded-*' headers, and suggests proper configuration mitigations. There are no review comments, so I have no feedback to provide.
1 participant
The Hono example in
handler.tsusescreateWebRequestFromNodeRequest()directly, which buildsrequest.urlfromHost/X-Forwarded-*headers without host validation. UnlikeAngularNodeAppEnginewhich documentsallowedHostsand links to the SSRF security guide, this example carries no security guidance. This PR adds a @remarks note directing users to the existing SSRF documentation.Reference: https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf