Documented ApplicationUrlDetection (17.4)
#8024
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -21,6 +21,7 @@ An example of a web routing config with default values, and a placeholder for th | |
| "DisableRedirectUrlTracking": false, | ||
| "UrlProviderMode": "Auto", | ||
| "UmbracoApplicationUrl": "http://www.mysite.com/", | ||
| "ApplicationUrlDetection": "None", | ||
| "UseStrictDomainMatching": false | ||
| } | ||
| } | ||
|
|
@@ -100,12 +101,28 @@ Will set the URL provider mode, options are: | |
|
|
||
| ## Umbraco application URL | ||
|
|
||
| Defines the Umbraco application URL that the server should reach itself. This URL is used in features such as password reset links, user invitations, and other email notifications, as well as for some health checks. The format is: `http://www.mysite.com/` and must contain the scheme (http/https) and complete hostname. | ||
|
|
||
| When this setting is provided, it always takes precedence over any value detected through `ApplicationUrlDetection`. Setting an explicit value is the recommended approach for production environments. | ||
|
|
||
| {% hint style="info" %} | ||
| Previously before v9, it was required to specify the **backoffice** path as this was customizable (`/umbraco` by default). However, from v9+ this is no longer possible, so it's sufficient to use the URL that contains the scheme (http/https) and complete hostname. | ||
| {% endhint %} | ||
|
|
||
| ## Application URL detection | ||
|
|
||
| Controls how Umbraco determines the application URL when `UmbracoApplicationUrl` has not been set explicitly. Available options are: | ||
|
|
||
| * `None` (default): No auto-detection takes place. The application URL must be set explicitly via `UmbracoApplicationUrl`. Operations that require it (such as user invitations and password resets) will fail with a `400 Bad Request` response indicating that the application URL is not configured. | ||
| * `FirstRequest`: The application URL is set from the first HTTP request received by the server, after which it is locked. Subsequent requests with different `Host` headers are ignored. | ||
| * `EveryRequest`: The application URL is set from the first HTTP request and can be overwritten by every subsequent request. | ||
|
|
||
| {% hint style="warning" %} | ||
|
There was a problem hiding this comment.
|
||
| In environments where Umbraco is not behind a reverse proxy that validates the `Host` header, allowing auto-detection (`FirstRequest` or `EveryRequest`) can enable a forged `Host` header to influence the URL used in email notifications. Explicitly configuring `UmbracoApplicationUrl` is the recommended approach. | ||
| {% endhint %} | ||
|
|
||
| `UmbracoApplicationUrl` always takes precedence over the value derived through `ApplicationUrlDetection`. | ||
|
|
||
| ## Strict domain matching | ||
|
|
||
| With multi-site setups multiple root nodes will be prepared with assigned domains. When routing a request, the content matched by path below the root node that matches the domain is returned. | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -21,6 +21,7 @@ An example of a web routing config with default values, and a placeholder for th | |
| "DisableRedirectUrlTracking": false, | ||
| "UrlProviderMode": "Auto", | ||
| "UmbracoApplicationUrl": "http://www.mysite.com/", | ||
| "ApplicationUrlDetection": "None", | ||
| "UseStrictDomainMatching": false | ||
| } | ||
| } | ||
|
|
@@ -100,12 +101,28 @@ Will set the URL provider mode, options are: | |
|
|
||
| ## Umbraco application URL | ||
|
|
||
| Defines the Umbraco application URL that the server should reach itself. This URL is used in features such as password reset links, user invitations, and other email notifications, as well as for some health checks. The format is: `http://www.mysite.com/` and must contain the scheme (http/https) and complete hostname. | ||
|
|
||
| When this setting is provided, it always takes precedence over any value detected through `ApplicationUrlDetection`. Setting an explicit value is the recommended approach for production environments. | ||
|
|
||
| {% hint style="info" %} | ||
| Previously before v9, it was required to specify the **backoffice** path as this was customizable (`/umbraco` by default). However, from v9+ this is no longer possible, so it's sufficient to use the URL that contains the scheme (http/https) and complete hostname. | ||
|
There was a problem hiding this comment.
|
||
| {% endhint %} | ||
|
|
||
| ## Application URL detection | ||
|
|
||
| Controls how Umbraco determines the application URL when `UmbracoApplicationUrl` has not been set explicitly. Available options are: | ||
|
|
||
| * `None` (default): No auto-detection takes place. The application URL must be set explicitly via `UmbracoApplicationUrl`. Operations that require it (such as user invitations and password resets) will fail with a `400 Bad Request` response indicating that the application URL is not configured. | ||
| * `FirstRequest`: The application URL is set from the first HTTP request received by the server, after which it is locked. Subsequent requests with different `Host` headers are ignored. | ||
| * `EveryRequest`: The application URL is set from the first HTTP request and can be overwritten by every subsequent request. | ||
|
|
||
| {% hint style="warning" %} | ||
|
There was a problem hiding this comment.
|
||
| In environments where Umbraco is not behind a reverse proxy that validates the `Host` header, allowing auto-detection (`FirstRequest` or `EveryRequest`) can enable a forged `Host` header to influence the URL used in email notifications. Explicitly configuring `UmbracoApplicationUrl` is the recommended approach. | ||
| {% endhint %} | ||
|
|
||
| `UmbracoApplicationUrl` always takes precedence over the value derived through `ApplicationUrlDetection`. | ||
|
|
||
| ## Strict domain matching | ||
|
|
||
| With multi-site setups multiple root nodes will be prepared with assigned domains. When routing a request, the content matched by path below the root node that matches the domain is returned. | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.