withastro · astrobot-houston · Oct 11, 2025 · sarah11918 · Oct 11, 2025
diff --git a/src/content/docs/en/reference/configuration-reference.mdx b/src/content/docs/en/reference/configuration-reference.mdx
@@ -409,6 +409,44 @@ one of the following `content-type` headers: `'application/x-www-form-urlencoded
 
 If the "origin" header doesn't match the `pathname` of the request, Astro will return a 403 status code and will not render the page.
 
+### security.allowedDomains
-### security.allowedDomains
+#### security.allowedDomains
-### security.allowedDomains
+#### security.allowedDomains
+
+<p>
+
+**Type:** `Array<RemotePattern>`<br />
+**Default:** `[]`<br />
+<Since v="5.14.2" />
+</p>
+
+Defines a list of permitted host patterns for incoming requests when using SSR. When configured, Astro will validate the `X-Forwarded-Host` header
+against these patterns for security. If the header doesn't match any allowed pattern, the header is ignored and the request's original host is used instead.
+
+This prevents host header injection attacks where malicious actors can manipulate the `Astro.url` value by sending crafted `X-Forwarded-Host` headers.
+
+Each pattern can specify `protocol`, `hostname`, and `port`. All three are validated if provided.
+The patterns support wildcards for flexible hostname matching:
+
+```js
+{
+  security: {
+    // Example: Allow any subdomain of example.com on https
+    allowedDomains: [
+      {
+        hostname: '**.example.com',
+        protocol: 'https'
+      },
+      {
+        hostname: 'staging.myapp.com',
+        protocol: 'https',
+        port: '443'
+      }
+    ]
+  }
+}
+```
+
+When not configured, `X-Forwarded-Host` headers are not trusted and will be ignored.
+
 ### vite
 
 <p>