server actions x-forwarded-host mismatch caused by trailing period
Unanswered
Western paper wasp posted this in #help-forum
Western paper waspOP
I found a few errors like these in my app’s logs:
I understand that the forwarded-host/origin check exists to prevent CSRF attacks, and that I can allow-list certain origins with
However, I don’t know why clients would send the Origin header with a trailing period—I don’t think the site is even accessible with the trailing period because my Vercel-issued SSL cert doesn’t cover that.
Is a trailing period on
`x-forwarded-host` header with value `match.box` does not match `origin` header with value `match.box.` from a forwarded Server Actions request. Aborting the action.I understand that the forwarded-host/origin check exists to prevent CSRF attacks, and that I can allow-list certain origins with
experimental.serverActions.allowedOrigins. However, I don’t know why clients would send the Origin header with a trailing period—I don’t think the site is even accessible with the trailing period because my Vercel-issued SSL cert doesn’t cover that.
Is a trailing period on
Origin common client behavior? Is it safe to add the trailing-period version of the origin to allowedOrigins, or could that create a security risk? Is this a case that Next.js should handle by default?