fix(@angular/ssr): support '*' in allowedHosts and warn about security risks

alan-agius4 · web-flow · commit 3b99ee140db8 · 2026-03-25T09:35:55.000+01:00
This commit adds support for '*' in allowedHosts for SSR, allowing any host to be validated. It also adds a security warning when '*' is used to inform users of the potential risks of allowing all host headers.
diff --git a/packages/angular/build/src/builders/dev-server/vite/index.ts b/packages/angular/build/src/builders/dev-server/vite/index.ts
@@ -101,7 +101,9 @@ export async function* serveWithVite(
   // Angular SSR supports `*.`.
   const allowedHosts = Array.isArray(serverOptions.allowedHosts)
     ? serverOptions.allowedHosts.map((host) => (host[0] === '.' ? '*' + host : host))
-    : [];
+    : serverOptions.allowedHosts === true
+      ? ['*']
+      : [];
 
   // Always allow the dev server host
   allowedHosts.push(serverOptions.host);
diff --git a/packages/angular/ssr/src/app-engine.ts b/packages/angular/ssr/src/app-engine.ts
@@ -88,7 +88,22 @@ export class AngularAppEngine {
    * @param options Options for the Angular server application engine.
    */
   constructor(options?: AngularAppEngineOptions) {
-    this.allowedHosts = new Set([...(options?.allowedHosts ?? []), ...this.manifest.allowedHosts]);
+    this.allowedHosts = this.getAllowedHosts(options);
+  }
+
+  private getAllowedHosts(options: AngularAppEngineOptions | undefined): ReadonlySet<string> {
+    const allowedHosts = new Set([...(options?.allowedHosts ?? []), ...this.manifest.allowedHosts]);
+
+    if (allowedHosts.has('*')) {
+      // eslint-disable-next-line no-console
+      console.warn(
+        'Allowing all hosts via "*" is a security risk. This configuration should only be used when ' +
+          'validation for "Host" and "X-Forwarded-Host" headers is performed in another layer, such as a load balancer or reverse proxy. ' +
+          'For more information see: https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf',
+      );
+    }
+
+    return allowedHosts;
   }
 
   /**
diff --git a/packages/angular/ssr/src/utils/validation.ts b/packages/angular/ssr/src/utils/validation.ts
@@ -224,7 +224,7 @@ function verifyHostAllowed(
  * @returns `true` if the hostname is allowed, `false` otherwise.
  */
 function isHostAllowed(hostname: string, allowedHosts: ReadonlySet<string>): boolean {
-  if (allowedHosts.has(hostname)) {
+  if (allowedHosts.has('*') || allowedHosts.has(hostname)) {
     return true;
   }
 
diff --git a/packages/angular/ssr/test/utils/validation_spec.ts b/packages/angular/ssr/test/utils/validation_spec.ts
@@ -64,6 +64,13 @@ describe('Validation Utils', () => {
         /URL with hostname "google.com" is not allowed/,
       );
     });
+
+    it('should pass for all hostnames when "*" is used', () => {
+      const allowedHosts = new Set(['*']);
+      expect(() => validateUrl(new URL('http://example.com'), allowedHosts)).not.toThrow();
+      expect(() => validateUrl(new URL('http://google.com'), allowedHosts)).not.toThrow();
+      expect(() => validateUrl(new URL('http://evil.com'), allowedHosts)).not.toThrow();
+    });
   });
 
   describe('validateRequest', () => {
@@ -242,6 +249,15 @@ describe('Validation Utils', () => {
       expect(secured.headers.get('host')).toBe('example.com');
     });
 
+    it('should allow any host header when "*" is used', () => {
+      const allowedHosts = new Set(['*']);
+      const req = new Request('http://example.com', {
+        headers: { 'host': 'evil.com' },
+      });
+      const { request: secured } = cloneRequestAndPatchHeaders(req, allowedHosts);
+      expect(secured.headers.get('host')).toBe('evil.com');
+    });
+
     it('should validate x-forwarded-host header', async () => {
       const req = new Request('http://example.com', {
         headers: { 'x-forwarded-host': 'evil.com' },

Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,7 @@ function verifyHostAllowed(`
`224`	`224`	* @returns `true` if the hostname is allowed, `false` otherwise.
`225`	`225`	`*/`
`226`	`226`	`function isHostAllowed(hostname: string, allowedHosts: ReadonlySet<string>): boolean {`
`227`		`- if (allowedHosts.has(hostname)) {`
	`227`	`+ if (allowedHosts.has('*') \|\| allowedHosts.has(hostname)) {`
`228`	`228`	`return true;`
`229`	`229`	`}`
`230`	`230`