diff --git a/docs/en/00_Getting_Started/00_Server_Requirements.md b/docs/en/00_Getting_Started/00_Server_Requirements.md index c4c5f374f..3574fcf03 100644 --- a/docs/en/00_Getting_Started/00_Server_Requirements.md +++ b/docs/en/00_Getting_Started/00_Server_Requirements.md @@ -112,6 +112,16 @@ For example, Apache allows this through `Header setifempty` (see [docs](https:// See [Developer Guide: Performance](/developer_guides/performance/) and [Developer Guides: File Security](/developer_guides/files/file_security) for more details. +Silverstripe relies on the `Host` header to construct URLs such as "reset password" links, +so you'll need to ensure that the systems hosting it only allow valid values for this header. +See [Developer Guide: Security - Request hostname forgery](/developer_guides/security/secure_coding#request-hostname-forgery). + +### CDNs and other Reverse Proxies + +If your Silverstripe site is hosted behind multiple HTTP layers, +you're in charge of controlling which forwarded headers are considered valid, +and which IPs can set them. See See [Developer Guide: Security - Request hostname forgery](/developer_guides/security/secure_coding#request-hostname-forgery). + ### Symlinks SilverStripe is a modular system, with modules installed and updated diff --git a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md index 003813491..f6a9dd010 100644 --- a/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md +++ b/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md @@ -648,7 +648,7 @@ This is a recommended option to secure any controller which displays or submits sensitive user input, and is enabled by default in all CMS controllers, as well as the login form. -## Request hostname forgery +## Request hostname forgery {#request-hostname-forgery} To prevent a forged hostname appearing being used by the application, SilverStripe allows the configure of a whitelist of hosts that are allowed to access the system. By defining