- Add intelligent URL detection supporting BASE_URL, PUBLIC_URL, and proxy headers - Fix hardcoded localhost URLs in server console output - Add hostname validation to prevent host header injection attacks - Restrict URL schemes to http/https only (block javascript:, file://, etc.) - Remove sensitive environment data from API responses - Add GET endpoints (/, /mcp) for better API discovery - Fix version inconsistency between server implementations - Update HTTP bridge to use HOST/PORT environment variables - Add comprehensive test scripts for URL configuration and security This resolves issues #41 and #42 by making the HTTP server properly handle deployment behind reverse proxies and adds critical security validations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
@@ -44,6 +44,15 @@ USE_FIXED_HTTP=true
|
||||
PORT=3000
|
||||
HOST=0.0.0.0
|
||||
|
||||
# Base URL Configuration (optional)
|
||||
# Set this when running behind a proxy or when the server is accessed via a different URL
|
||||
# than what it binds to. If not set, URLs will be auto-detected from proxy headers (if TRUST_PROXY is set)
|
||||
# or constructed from HOST and PORT.
|
||||
# Examples:
|
||||
# BASE_URL=https://n8n-mcp.example.com
|
||||
# BASE_URL=https://your-domain.com:8443
|
||||
# PUBLIC_URL=https://n8n-mcp.mydomain.com (alternative to BASE_URL)
|
||||
|
||||
# Authentication token for HTTP mode (REQUIRED)
|
||||
# Generate with: openssl rand -base64 32
|
||||
AUTH_TOKEN=your-secure-token-here
|
||||
|
||||
Reference in New Issue
Block a user