(@angular/ssr): strict host header validation breaks multi-tenant apps

[stpp2]

Which @angular/* package(s) are the source of the bug?

platform-server

Is this a regression?

Yes

Description

Is this a regression?

• Yes, this behavior used to work in the previous version

The previous version in which this bug was not present was

@angular/ssr 21.0.x (regression observed after upgrading to 21.1.x)

Description

After upgrading to 21.1.x which includes strict SSR host/forwarded-header validation, multi-tenant SSR apps started failing for valid tenant domains. This is something that was being validated upstream so far, so no need to validate on the Angular level.

This is noted here - https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf

Since this change, requests that used to SSR-render now fail and only do CSR:

This is a regression for apps that cannot predict all tenant hosts via allowedHosts.

Proposed solution

Allow a wildcard for allowedHosts or bypass the SSRF check altogether.

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

Please provide the environment you discovered this bug in (run ng version)

Anything else?

No response

[alan-agius4]

Can you elaborate how the HOST and X-FORWARDED-HOST headers are being validated upstream?

[stpp2]

The app doesn't have a public IP, it's only accessible behind a reverse proxy (which passes down the headers). I'm validating hosts there.

[alan-agius4]

Just to confirm you are validating both X-FORWARDED-HOST and HOST in the reverse proxy right?