Skip to content

Commit

Permalink
change: configuration of flask changed variable
Browse files Browse the repository at this point in the history
  • Loading branch information
@utnapischtim @tmorrell
utnapischtim authored and tmorrell committed Feb 24, 2025
1 parent ecf52b6 commit 57aa919
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 8 deletions.
8 changes: 4 additions & 4 deletions docs/customize/look-and-feel/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,15 +35,15 @@ INVENIO_THEME_FRONTPAGE_TITLE="Stage RePo: the Repository about Potatoes"

❌ DON'T
```shell
INVENIO_APP_ALLOWED_HOSTS=["127.0.0.1"] invenio-cli run
INVENIO_TRUSTED_HOSTS=["127.0.0.1"] invenio-cli run
```
`APP_ALLOWED_HOSTS` is interpreted as the string `"[127.0.0.1]"` because of shell substitution followed by Python literal conversion.
`TRUSTED_HOSTS` is interpreted as the string `"[127.0.0.1]"` because of shell substitution followed by Python literal conversion.

✅ DO
```shell
INVENIO_APP_ALLOWED_HOSTS='["127.0.0.1"]' invenio-cli run
INVENIO_TRUSTED_HOSTS='["127.0.0.1"]' invenio-cli run
```
`APP_ALLOWED_HOSTS` is interpreted as the list `["127.0.0.1"]` which is right.
`TRUSTED_HOSTS` is interpreted as the list `["127.0.0.1"]` which is right.

Another pitfall to avoid is when a value can be interpreted as the wrong type.

Expand Down
8 changes: 4 additions & 4 deletions docs/install/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,9 @@ The credentials you do find in the ``invenio.cfg`` file are for the default deve
## Options

---
### ``APP_ALLOWED_HOSTS``
### ``TRUSTED_HOSTS``

Invenio has a configuration option called ``APP_ALLOWED_HOSTS`` which controls which hosts/domain names can be served. A client request to a web server usually includes the domain name in the Host HTTP header:
Invenio has a configuration option called ``TRUSTED_HOSTS`` which controls which hosts/domain names can be served. A client request to a web server usually includes the domain name in the Host HTTP header:

```
GET /
Expand All @@ -61,10 +61,10 @@ An attacker has full control of the host header and can thus change it to whatev

Normally your load balancer/web server should only route requests with a white-listed set of hosts to your application. It is however very easy to misconfigure this in your web server, and thus Invenio includes a protective measure.

Simply set APP_ALLOWED_HOSTS to a list of allowed hosts/domain names:
Simply set TRUSTED_HOSTS to a list of allowed hosts/domain names:

```
APP_ALLOWED_HOSTS = ['www.example.org']
TRUSTED_HOSTS = ['www.example.org']
```

Failing to properly configure this variable will cause the error `Bad Request Host x.x.x.x is not trusted.` when starting the web app.
Expand Down

0 comments on commit 57aa919

Please sign in to comment.