Back to Signal Feed
CodeTracked since May 19, 2026

Add Host-header gate to all /api routes to block DNS-rebinding abuse

Introduces a new Next.js middleware for `/api/*` that validates the `Host` header via a new centralized validator, defaulting to a loopback-only allowlist (127.0.0.1/localhost/::1/0.0.0.0 on any port) and returning 403 when the host is not allowed, with optional operator overrides via environment variables.

Next.js middlewareHost header allowlistDNS rebindingsrc/app/api/convert

What Happened

  • Introduces a new Next.js middleware for `/api/*` that validates the `Host` header via a new centralized validator, defaulting to a loopback-only allowlist (127.0.0.1/localhost/::1/0.0.0.0 on any port) and returning 403 when the host is not allowed, with optional operator overrides via environment variables.
  • Introduces a new Next.js middleware for `/api/*` that validates the `Host` header via a new centralized validator, defaulting to a loopback-only allowlist (127.0.0.1/localhost/::1/0.0.0.0 on any port) and returning 403 when the host is not allowed, with optional operator overrides via environment variables.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Added centralized `/api/*` request filtering in `src/middleware.ts` using `isRequestHostAllowed`, backed by `src/lib/security/host-validation.ts`, to reject attacker-controlled hosts before route handlers execute. This directly closes unauthenticated API abuse paths that previously allowed remote-triggered local agent execution and token overwrite/deploy actions through browser-driven requests.

Why Track This

Why It Matters

Developers running html-anything locally are protected from drive-by attacks that could silently execute local coding-agent CLIs and write attacker-controlled Vercel credentials, because rebounded-origin API calls now get blocked before reaching sensitive routes. The practical outcome is reduced risk of local machine compromise (for example, exfiltrating `~/.ssh/id_rsa` via convert prompts or hijacking deploys via `/api/deploy/config`). After this change, the remaining risk is concentrated in deployments that intentionally disable host checks (`HTML_ANYTHING_ALLOW_ANY_HOST=1`) or rely on reverse-proxy Host rewriting, so operators should verify proxy Host/Origin enforcement and environment configuration continuity in production.

Impact

Developers running html-anything locally are protected from drive-by attacks that could silently execute local coding-agent CLIs and write attacker-controlled Vercel credentials, because rebounded-origin API calls now get blocked before reaching sensitive routes. The practical outcome is reduced risk of local machine compromise (for example, exfiltrating `~/.ssh/id_rsa` via convert prompts or hijacking deploys via `/api/deploy/config`). After this change, the remaining risk is concentrated in deployments that intentionally disable host checks (`HTML_ANYTHING_ALLOW_ANY_HOST=1`) or rely on reverse-proxy Host rewriting, so operators should verify proxy Host/Origin enforcement and environment configuration continuity in production.

What To Watch Next

  • Watch whether Next.js middleware becomes a repeated pattern.
  • Track follow-up changes around AI Security.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: allow_any_host_bypass_enabled, reverse_proxy_host_rewrite_misconfig.
Open Topic TimelineOpen Technical EventOpen Original Sourceallow_any_host_bypass_enabled / reverse_proxy_host_rewrite_misconfig / optional_override_misuse

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

nexu-io/html-anything PR #61: fix(security): validate Host header on /api/* to block DNS rebinding

Previously any `/api/*` request could be sent to a local instance using a rebounded hostname; the fix enforces host allowlisting before API handlers run, including `convert` and deploy-related endpoints.