Allowed Hosts

ALLOWED_HOSTS restricts which upstream hostnames PreviewProxy is permitted to fetch images from. This is a critical security control that prevents your proxy from being used as an open relay.

Configuration

Set ALLOWED_HOSTS to a comma-separated list of hostnames:

ALLOWED_HOSTS=images.example.com,assets.example.com,s3.amazonaws.com

cảnh báo

If ALLOWED_HOSTS is empty (the default), any host is allowed. This is convenient for development but dangerous in production - it allows anyone who can reach your proxy to use it to fetch arbitrary content from the internet (SSRF). Always set ALLOWED_HOSTS in production.

Format

Specify only the hostname - no protocol, no port, no trailing slash:

# Correct
ALLOWED_HOSTS=images.example.com

# Incorrect - do not include protocol or port
ALLOWED_HOSTS=https://images.example.com
ALLOWED_HOSTS=images.example.com:443

Wildcard subdomains

Prefix a hostname with * to allow any subdomain:

ALLOWED_HOSTS=*.example.com

This matches images.example.com, assets.example.com, cdn.example.com, and so on. It does not match the bare example.com itself.

You can mix exact hostnames and wildcard entries in the same list:

ALLOWED_HOSTS=*.example.com,s3.amazonaws.com,other-cdn.net

Blocked requests

Requests targeting a host not present in ALLOWED_HOSTS are rejected with a 403 Forbidden response.

Private IP blocking

Regardless of what ALLOWED_HOSTS is set to, PreviewProxy always blocks requests that resolve to private or loopback IP ranges, including:

127.0.0.0/8 (loopback)
10.0.0.0/8 (private)
172.16.0.0/12 (private)
192.168.0.0/16 (private)
::1 (IPv6 loopback)
fc00::/7 (IPv6 unique local)

This prevents SSRF attacks that use DNS rebinding or internal hostnames to reach services on your internal network, even if those hostnames appear in ALLOWED_HOSTS.

Configuration​

Format​

Wildcard subdomains​

Blocked requests​

Private IP blocking​

Configuration

Format

Wildcard subdomains

Blocked requests

Private IP blocking