You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/07/11 08:00:25 UTC
[ofbiz-framework] 04/04: Fixed: don't remove localhost from
host-headers-allowed it was only for testing
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit d0fceffadda57dbe6e87398c47b4a575bc33137d
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Jul 11 09:57:56 2020 +0200
Fixed: don't remove localhost from host-headers-allowed it was only for testing
---
framework/security/config/security.properties | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 8a1d353..bf1d075 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -154,7 +154,7 @@ security.token.key=security.token.key
# -- List of domains or IP addresses to be checked to prevent Host Header Injection,
# -- no spaces after commas,no wildcard, can be extended of course...
-host-headers-allowed=127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
+host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
# -- By default the SameSite value in SameSiteFilter is 'strict'.
# -- This property allows to change to 'lax' if needed.