Back to Signal Feed
CodeTracked since May 18, 2026

Add Host-header allowlist on all /api routes to block DNS-rebinding attack surfaces

This change introduces a new Next.js middleware and shared host validator that enforce an allowlist on every `/api/*` request, so API handlers like convert/deploy can only be called from loopback by default (`127.0.0.1`, `localhost`, `::1`) unless operators explicitly extend hosts or intentionally disable the gate via environment variables.

Next.js middlewareHost header/api/* route protectionhost allowlist

What Happened

  • This change introduces a new Next.js middleware and shared host validator that enforce an allowlist on every `/api/*` request, so API handlers like convert/deploy can only be called from loopback by default (`127.0.0.1`, `localhost`, `::1`) unless operators explicitly extend hosts or intentionally disable the gate via environment variables.
  • This change introduces a new Next.js middleware and shared host validator that enforce an allowlist on every `/api/*` request, so API handlers like convert/deploy can only be called from loopback by default (`127.0.0.1`, `localhost`, `::1`) unless operators explicitly extend hosts or intentionally disable the gate via environment variables.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Implemented a centralized Host-gating layer for all API endpoints that rejects requests from unapproved hostnames before they reach sensitive handlers, while preserving local dev behavior and adding explicit operator controls for LAN hosts and reverse-proxy deployments.

Why Track This

Why It Matters

Local users of html-anything are less exposed to silent drive-by compromises because API calls from attacker-controlled hostnames are now blocked before they can trigger dangerous actions, such as remote code-execution prompts to local agent CLIs or unauthorized Vercel-token writes. This matters operationally: if a user visits a malicious page while a dev server is running, the server now returns 403 for untrusted `Host` headers instead of spawning commands with skip-permission flags or accepting token swaps. Watch for two follow-ups: whether reverse-proxy setups correctly rewrite/validate Host and whether anyone enables `HTML_ANYTHING_ALLOW_ANY_HOST=1` outside trusted boundaries, because that opt-out restores exposure to the same attack class.

Impact

Local users of html-anything are less exposed to silent drive-by compromises because API calls from attacker-controlled hostnames are now blocked before they can trigger dangerous actions, such as remote code-execution prompts to local agent CLIs or unauthorized Vercel-token writes. This matters operationally: if a user visits a malicious page while a dev server is running, the server now returns 403 for untrusted `Host` headers instead of spawning commands with skip-permission flags or accepting token swaps. Watch for two follow-ups: whether reverse-proxy setups correctly rewrite/validate Host and whether anyone enables `HTML_ANYTHING_ALLOW_ANY_HOST=1` outside trusted boundaries, because that opt-out restores exposure to the same attack class.

What To Watch Next

  • Watch whether Next.js middleware becomes a repeated pattern.
  • Track follow-up changes around AI Coding Agents.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: allow_any_host_opt_out_misconfigured, reverse_proxy_host_rewrite_inconsistent.
Open Topic TimelineOpen Technical EventOpen Original Sourceallow_any_host_opt_out_misconfigured / reverse_proxy_host_rewrite_inconsistent / external_integration_bypassing_api_path / host_validation_not_applied_to_non_api_attack_paths

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

nexu-io/html-anything PR #61: fix(security): validate Host header on /api/* to block DNS rebinding

The PR adds `src/middleware.ts` with `/api/:path*` matching and a new `src/lib/security/host-validation.ts` validator to reject unauthorized `Host` values (e.g., `attacker.example`) with HTTP 403.