🔒️ fix: improve proxy header security and clean up debugging code

- Add host header validation middleware to prevent header injection attacks
- Configure ForwardedHeaders middleware for Cloudflare + DigitalOcean proxy chain
- Remove debugging logs from Apple callback controller
- Disable hot reload for backend API to ensure config changes apply
- Add AllowedHosts configuration to .env.example
- Update Vite allowed hosts configuration

Security improvements:
- Validate incoming host headers against allowed list in production
- Trust up to 2 proxies in chain (Cloudflare -> DigitalOcean)
- Only process requests to configured domains

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: ervwalter

.env.example

@@ -14,4 +14,9 @@ Jwt__SigningKey=your-random-signing-key-at-least-32-chars
 
 # OAuth Provider Configuration
 Withings__ClientId=your-withings-client-id
-Withings__ClientSecret=your-withings-client-secret
+Withings__ClientSecret=your-withings-client-secret
+
+# Security Configuration
+# Comma-separated list of allowed host headers (for production)
+# Use "*" to allow all hosts (not recommended for production)
+AllowedHosts=trendweight.com,www.trendweight.com,trendweight.io

.tmuxinator.yml

@@ -21,4 +21,4 @@ windows:
             - cd apps/api/TrendWeight
             - tmux pipe-pane -t 1 "perl -pe '$|=1; s/\\e\\[[0-9;?]*[a-zA-Z]//g; s/\\\\\\].*?\\\\//g; s/\\e\\].*?\\007//g; s/\\r//g; s/\\e=//g' > logs/backend.log 2>&1"
             - clear
-            - exec bash -c "trap 'tmux kill-session -t trendweight' EXIT; dotnet watch"
+            - exec bash -c "trap 'tmux kill-session -t trendweight' EXIT; dotnet watch --no-hot-reload"

apps/api/TrendWeight/Features/Auth/AppleCallbackController.cs

@@ -9,22 +9,8 @@ namespace TrendWeight.Features.Auth;
 public class AppleCallbackController : ControllerBase
 {
     [HttpPost("callback")]
-    public IActionResult Callback(ILogger<AppleCallbackController> logger)
+    public IActionResult Callback()
     {
-        // Log the incoming request details (ForwardedHeaders middleware has already updated these)
-        logger.LogInformation("Apple callback received - Method: {Method}, Scheme: {Scheme}, Host: {Host}, Path: {Path}",
-            Request.Method, Request.Scheme, Request.Host, Request.Path);
-
-        // Log all form data received
-        foreach (var kvp in Request.Form)
-        {
-            // Don't log sensitive data in production, but for debugging this is helpful
-            var value = kvp.Key.Contains("token", StringComparison.OrdinalIgnoreCase)
-                ? $"[REDACTED-{kvp.Value.ToString().Length}-chars]"
-                : kvp.Value.ToString();
-            logger.LogInformation("Apple form data - {Key}: {Value}", kvp.Key, value);
-        }
-
         // Convert form data to query string
         var queryString = string.Join("&", Request.Form.Select(kvp =>
             $"{Uri.EscapeDataString(kvp.Key)}={Uri.EscapeDataString(kvp.Value.ToString())}"));
@@ -33,8 +19,6 @@ public IActionResult Callback(ILogger<AppleCallbackController> logger)
         // The ForwardedHeaders middleware has already updated Request.Scheme and Request.Host
         var redirectUrl = $"{Request.Scheme}://{Request.Host}/auth/apple/callback?{queryString}";
 
-        logger.LogInformation("Redirecting to: {RedirectUrl}", redirectUrl);
-
         return Redirect(redirectUrl);
     }
 }

apps/api/TrendWeight/Program.cs

@@ -1,12 +1,19 @@
 using System.Net;
 using System.Text.Json;
 using System.Text.Json.Serialization;
+using Microsoft.AspNetCore.HostFiltering;
 using Microsoft.AspNetCore.HttpOverrides;
 using TrendWeight.Infrastructure.Extensions;
 using TrendWeight.Infrastructure.Middleware;
 
 var builder = WebApplication.CreateBuilder(args);
 
+// Disable ASP.NET Core's built-in host filtering since we have custom validation
+builder.Services.Configure<HostFilteringOptions>(options =>
+{
+    options.AllowedHosts = new List<string> { "*" };
+});
+
 // Add services to the container
 builder.Services.AddControllers()
     .AddJsonOptions(options =>
@@ -55,18 +62,14 @@
 {
     options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost;
 
-    if (builder.Environment.IsProduction())
-    {
-        // Production: Only trust the immediate proxy (most secure default)
-        options.ForwardLimit = 1;
-        options.RequireHeaderSymmetry = false;
-    }
-    else
-    {
-        // Development: Trust any source for ease of testing
-        options.KnownNetworks.Clear();
-        options.KnownProxies.Clear();
-    }
+    // Clear default networks/proxies to trust headers from load balancers
+    // Security Note: Host header validation is performed later in the pipeline
+    options.KnownNetworks.Clear();
+    options.KnownProxies.Clear();
+
+    // Limit proxy chain depth to prevent spoofing
+    options.ForwardLimit = 2; // Allows for Cloudflare -> DigitalOcean chain
+    options.RequireHeaderSymmetry = false;
 });
 
 var app = builder.Build();
@@ -80,6 +83,35 @@
 // Use forwarded headers from proxies
 app.UseForwardedHeaders();
 
+// Validate host header for security (prevent host header injection)
+if (app.Environment.IsProduction())
+{
+    app.Use(async (context, next) =>
+    {
+        var allowedHostsConfig = app.Configuration["AllowedHosts"];
+
+        if (!string.IsNullOrEmpty(allowedHostsConfig) && allowedHostsConfig != "*")
+        {
+            var allowedHosts = allowedHostsConfig.Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
+            var requestHost = context.Request.Host.Host;
+
+            // Check both with and without port
+            var hostMatches = allowedHosts.Any(h =>
+                h.Equals(requestHost, StringComparison.OrdinalIgnoreCase) ||
+                h.Equals(context.Request.Host.Value, StringComparison.OrdinalIgnoreCase));
+
+            if (!hostMatches)
+            {
+                app.Logger.LogWarning("Rejected request with invalid host header: {Host}", context.Request.Host.Value);
+                context.Response.StatusCode = 400;
+                await context.Response.WriteAsync("Bad Request: Invalid Host header");
+                return;
+            }
+        }
+        await next();
+    });
+}
+
 if (app.Environment.IsDevelopment())
 {
     app.UseSwagger();

apps/web/vite.config.ts

@@ -8,7 +8,7 @@ export default defineConfig({
   plugins: [TanStackRouterVite(), react(), tailwindcss()],
   server: {
     host: true,
-    allowedHosts: ["studio-1", "studio-1.elf-hadar.ts.net", ".local", "localhost"],
+    allowedHosts: ["studio-1", "studio-1.elf-hadar.ts.net", ".local", "localhost", ""],
     proxy: {
       // Proxy all /api requests to the C# backend
       "/api": {