eric/multi-domain-redux
1
0
Fork 0
Code Issues Pull requests Projects Releases 3 Packages Wiki Activity Actions
3 releases 6 tags
  • 1.0.2 675c2fddfe

    1.0.2
    All checks were successful
    CI / Lint + Static Analysis (push) Successful in 48s
    Details
    CI / Unit Tests (PHP 8.2) (push) Successful in 45s
    Details
    CI / Unit Tests (PHP 8.3) (push) Successful in 1m10s
    Details
    CI / Unit Tests (PHP 8.4) (push) Successful in 1m13s
    Details
    CI / Unit Tests (PHP 8.5) (push) Successful in 1m12s
    Details
    Stable

    eric released this 2026-06-27 15:40:13 -07:00 | 0 commits to main since this release

    What's Changed

    Security

    • Removed non-standard X-Host header from trusted-proxy mode. When MULTI_DOMAIN_REDUX_TRUST_PROXY=true, only X-Forwarded-Host (RFC 7239) is now honored. The non-standard X-Host header is not set by any common reverse proxy (nginx, Apache, HAProxy, Caddy), but trusting it allowed an unauthenticated caller to inject a configured hostname via a header operators would not think to strip at the proxy layer.

    Fixed

    • ContentRewriter now rewrites URLs with explicit port numbers. URLs like https://example.com:8080/path embedded in post or comment content were previously skipped. The port is consumed and discarded; the rewritten URL uses the target host on its default port.

    Documentation

    • Trusted-proxy mode: documented that the reverse proxy must strip X-Forwarded-Host from inbound client requests and inject it only server-side, with an nginx example. Explicitly listed which headers are honored (X-Forwarded-Host, X-Forwarded-Proto only).
    • Hreflang: documented that hosts with no locale set are excluded from hreflang output — the built-in per-host opt-out for hosts you don't want advertised (e.g. a quiet Tor onion mirror).
    • Host configuration: documented that every configured host is added to the WordPress safe-redirect allowlist; only add hostnames you own and control.

    Full changelog: CHANGELOG.md

    Downloads