server/security.ts

Build the set of allowed hostnames for Host header validation based on the server's bind address.

When binding to localhost or 127.0.0.1, both are allowed (they refer to the same interface). When binding to 0.0.0.0, all local hostnames are allowed since we can't know which interface the request arrived on.

Create middleware that validates the Host header against an allowlist.

Blocks requests whose Host header hostname doesn't match any allowed value. The port portion of the Host header is stripped before comparison. Requests without a Host header are allowed through (non-browser clients like curl or CLI).

Extract the hostname portion from a Host header value. Handles IPv6 brackets: [::1]:3000 → [::1] Handles regular: localhost:3000 → localhost

Check whether a bind address is a wildcard that exposes to the network.

Default set of hostnames considered safe for local-only binding. Includes all common ways to address localhost.

Addresses that bind to all network interfaces. These are dangerous without authentication because they expose the daemon to the LAN.