npm - @angular/ssr - Versions diffs - 22.0.0-next.5 → 22.0.0-next.7 - Mend

@angular/ssr 22.0.0-next.5 → 22.0.0-next.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/fesm2022/_validation-chunk.mjs +47 -83
package/fesm2022/_validation-chunk.mjs.map +1 -1
package/fesm2022/node.mjs +34 -21
package/fesm2022/node.mjs.map +1 -1
package/fesm2022/ssr.mjs +13 -23
package/fesm2022/ssr.mjs.map +1 -1
package/package.json +8 -8
package/third_party/beasties/THIRD_PARTY_LICENSES.txt +1 -1
package/third_party/beasties/index.js +70 -38
package/third_party/beasties/index.js.map +1 -1
package/types/_app-engine-chunk.d.ts +22 -0
package/types/node.d.ts +9 -1

package/types/_app-engine-chunk.d.ts CHANGED Viewed

@@ -67,6 +67,24 @@ interface AngularAppEngineOptions {
      * A set of allowed hostnames for the server application.
      */
     allowedHosts?: readonly string[];
+    /**
+     * Extends the scope of trusted proxy headers (`X-Forwarded-*`).
+     *
+     * @remarks
+     * **This is a security-sensitive option!**
+     *
+     * When `trustProxyHeaders` is enabled, request headers such as `X-Forwarded-Host` and
+     * `X-Forwarded-Prefix` are trusted by the server and used for routing. These
+     * headers must be strictly validated and provided by a trusted client (e.g., at a reverse proxy, load
+     * balancer, or API gateway) and must *not* be provided by untrusted end users.
+     *
+     * If a `string[]` is provided, only those proxy headers are allowed.
+     * If `true`, all proxy headers are allowed.
+     * If `false` or not provided, proxy headers are ignored.
+     *
+     * @default false
+     */
+    trustProxyHeaders?: boolean | readonly string[];
 }
 /**
  * Angular server application engine.
@@ -114,6 +132,10 @@ declare class AngularAppEngine {
      * A map of supported locales from the server application's manifest.
      */
     private readonly supportedLocales;
+    /**
+     * The normalized allowed proxy headers.
+     */
+    private readonly trustProxyHeaders;
     /**
      * A cache that holds entry points, keyed by their potential locale string.
      */

package/types/node.d.ts CHANGED Viewed

@@ -70,6 +70,7 @@ interface AngularNodeAppEngineOptions extends AngularAppEngineOptions {
  */
 declare class AngularNodeAppEngine {
     private readonly angularAppEngine;
+    private readonly trustProxyHeaders?;
     /**
      * Creates a new instance of the Angular Node.js server application engine.
      * @param options Options for the Angular Node.js server application engine.
@@ -180,9 +181,16 @@ declare function writeResponseToNodeResponse(source: Response, destination: Serv
  * be used by web platform APIs.
  *
  * @param nodeRequest - The Node.js request object (`IncomingMessage` or `Http2ServerRequest`) to convert.
+ * @param trustProxyHeaders - A boolean or an array of proxy headers to trust when constructing the request URL.
+ *
+ * @remarks
+ * When `trustProxyHeaders` is enabled, headers such as `X-Forwarded-Host` and
+ * `X-Forwarded-Prefix` should ideally be strictly validated at a higher infrastructure
+ * level (e.g., at the reverse proxy or API gateway) before reaching the application.
+ *
  * @returns A Web Standard `Request` object.
  */
-declare function createWebRequestFromNodeRequest(nodeRequest: IncomingMessage | Http2ServerRequest): Request;
+declare function createWebRequestFromNodeRequest(nodeRequest: IncomingMessage | Http2ServerRequest, trustProxyHeaders?: boolean | readonly string[]): Request;
 /**
  * Determines whether the provided URL represents the main entry point module.