fix: Disabled 'allowed hosts filter' in production.conf template, and…

… adapted README accordingly
dnpm-dip · Nov 26, 2024 · 677e62b · 677e62b
1 parent ba19983
commit 677e62b
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -264,16 +264,18 @@ These files are expected by the application in the directory `./backend-config`
 The Play HTTP Server in which the backend application runs is configured via file `./backend-config/production.conf`.
 The template provides defaults for all required settings.
 
-In case the backend won't be addressed via a reverse proxy forwarding to 'localhost' but directly by IP and/or hostname, these "allowed hosts" must be configured explicitly:
+##### Allowed Hosts
+
+Given that the backend service is operated behind the reverse proxy and not exposed directly, the [Allowed hosts filter](https://www.playframework.com/documentation/3.0.x/AllowedHostsFilter) is disabled by default.
+In case you were to deviate from this setup and directly expose the backend service, you should consider re-activateing this filter and configure the necessary allowed hosts accordingly:
 
 ```bash
 ...
 hosts {
   allowed = ["your.host.name",...]
 }
 ```
-See also the [Allowed Hosts Filter Documentation](https://www.playframework.com/documentation/3.0.x/AllowedHostsFilter).
-
+##### Payload size
 
 Depending on the expected size of data uploads, the memory buffer can also be adjusted, e.g.:
 

diff --git a/backend-config/production.template.conf b/backend-config/production.template.conf
@@ -16,14 +16,10 @@ play {
   filters {
 
     enabled += "play.filters.cors.CORSFilter"
-    enabled += "play.filters.hosts.AllowedHostsFilter"
-
+
+    disabled += "play.filters.hosts.AllowedHostsFilter"
     disabled += "play.filters.csrf.CSRFFilter"
 
-    hosts {
-      allowed = ["localhost","127.0.0.1","backend"]
-    }
-
     cors {
       pathPrefixes = ["/"]
       allowedOrigins = null