feat(gateway)!: require explicit non-loopback control-ui origins

2026-05-31 05:36:52 +00:00 · 2026-02-24 01:52:15 +00:00
parent edfefdff7d
commit 223d7dc23d
19 changed files with 187 additions and 10 deletions
--- a/src/config/types.gateway.ts
+++ b/src/config/types.gateway.ts
@@ -70,6 +70,11 @@ export type GatewayControlUiConfig = {
  root?: string;
  /** Allowed browser origins for Control UI/WebChat websocket connections. */
  allowedOrigins?: string[];
+  /**
+   * DANGEROUS: Keep Host-header origin fallback behavior.
+   * Supported long-term for deployments that intentionally rely on this policy.
+   */
+  dangerouslyAllowHostHeaderOriginFallback?: boolean;
  /**
   * Insecure-auth toggle.
   * Control UI still requires secure context + device identity unless