Don’t infer hostname from request headers

[adrusi]

Currently it looks like indiekit infers its hostname from the Host http header, and the protocol similarly:

indiekit/packages/indiekit/lib/middleware/locals.js

Line 18 in 29e9718

application.url = `${request.protocol}://${request.headers.host}`;

This isn’t ideal for running behind a reverse proxy like nginx, since nginx has to be configured to pass through the Host header, and as far as the indiekit server is concerned, it’s always being accessed via non-SSL HTTP.

More concerningly, I wonder if this might be a security issue. I suspect not, but when signing in with IndieAuth, the IndieAuth server redirects to wherever the Host header indicated, which could potentially be used to steal authentication tokens. I can’t see an actual attack using this, but it still gives me the heebie jeebies.

[paulrobertlloyd]

Hi @adrusi. The nginx proxy issue has come up a few times before, but I’m not quite sure how else to get this information into the app besides using headers.

However, I’ve now made it possible to override this default, by passing a value for application.url into the config. You can do this like so:

indiekit.set('application.url', 'http://mydomain.example');

Let me know if this does not addresses your issue.