docs: baseOrigin

packages/validators/README.md

@@ -10,10 +10,17 @@ Validates URLs against a whitelist of allowed protocols and hostnames, preventin
 
 `options?`: `<Object>`
 
-- `baseOrigin`: `<string>` - The base origin to use for relative URLs. If no base origin is provided, relative URLs will be considered invalid. An origin does not include the path or query parameters. For example, a valid base origin is `https://example.com`.
+- `baseOrigin`: `<string>` - The base origin to use for relative URLs. If no base origin is provided, relative URLs will be considered invalid.
+
+  An origin does not include the path or query parameters. For example, a valid base origin is `https://example.com` or `http://localhost:3000`.
+
 - `whitelist`: `<Object>`
-  - `protocols`: `<string[]>` - A list of allowed protocols. If no protocols are provided, the validator will use the default protocols: `['http', 'https']`. **Caution: allowing `javascript` or `data` protocols can lead to XSS vulnerabilities.**
-  - `hostnames`: `<string[]>` - A list of allowed hostnames. If no hostnames are provided, the validator will allow any hostname. **It is recommended to provide a list of allowed hostnames to prevent open redirects.**
+  - `protocols`: `<string[]>` - A list of allowed protocols. If no protocols are provided, the validator will use the default protocols: `['http', 'https']`.
+
+    **Caution: allowing `javascript` or `data` protocols can lead to XSS vulnerabilities.**
+  - `hostnames`: `<string[]>` - A list of allowed hostnames. If no hostnames are provided, the validator will allow any hostname.
+
+    **It is recommended to provide a list of allowed hostnames to prevent open redirects.**
 
 If no options are provided, the validator will use the default options: