From 677e62b93d9b0f5f27d55ac44bc7ebb37e85ccaa Mon Sep 17 00:00:00 2001
From: Lucien Clin <lucien.clin@uni-tuebingen.de>
Date: Tue, 26 Nov 2024 11:58:04 +0100
Subject: [PATCH] fix: Disabled 'allowed hosts filter' in production.conf
 template, and adapted README accordingly

---
 README.md                               | 8 +++++---
 backend-config/production.template.conf | 8 ++------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 8aa4b2f..0ecdf6f 100644
--- a/README.md
+++ b/README.md
@@ -264,7 +264,10 @@ These files are expected by the application in the directory `./backend-config`
 The Play HTTP Server in which the backend application runs is configured via file `./backend-config/production.conf`.
 The template provides defaults for all required settings.
 
-In case the backend won't be addressed via a reverse proxy forwarding to 'localhost' but directly by IP and/or hostname, these "allowed hosts" must be configured explicitly:
+##### Allowed Hosts
+
+Given that the backend service is operated behind the reverse proxy and not exposed directly, the [Allowed hosts filter](https://www.playframework.com/documentation/3.0.x/AllowedHostsFilter) is disabled by default.
+In case you were to deviate from this setup and directly expose the backend service, you should consider re-activateing this filter and configure the necessary allowed hosts accordingly:
 
 ```bash
 ...
@@ -272,8 +275,7 @@ hosts {
   allowed = ["your.host.name",...]
 }
 ```
-See also the [Allowed Hosts Filter Documentation](https://www.playframework.com/documentation/3.0.x/AllowedHostsFilter).
-
+##### Payload size
 
 Depending on the expected size of data uploads, the memory buffer can also be adjusted, e.g.:
 
diff --git a/backend-config/production.template.conf b/backend-config/production.template.conf
index 31bff98..8853d21 100644
--- a/backend-config/production.template.conf
+++ b/backend-config/production.template.conf
@@ -16,14 +16,10 @@ play {
   filters {
 
     enabled += "play.filters.cors.CORSFilter"
-    enabled += "play.filters.hosts.AllowedHostsFilter"
-  
+
+    disabled += "play.filters.hosts.AllowedHostsFilter"
     disabled += "play.filters.csrf.CSRFFilter"
   
-    hosts {
-      allowed = ["localhost","127.0.0.1","backend"]
-    }
-  
     cors {
       pathPrefixes = ["/"]
       allowedOrigins = null