pub async fn host_validate(req: Request, next: Next) -> ResponseExpand description
Middleware: reject requests whose Host header (or HTTP/2
:authority pseudo-header) is not in the configured allowlist.
Source of truth for the allowlist:
axum::Extension<TrustedHosts>if present on the request — the server builder inserts this fromTrustedHosts::from_envat startup, and tests can override.- Otherwise, a per-process env-var fallback parsed once from
TENSOR_WASM_API_TRUSTED_HOSTS.
Empty allowlist (no entries / env unset) = pass-through.
Host extraction order:
Host:request header.- If absent,
req.uri().authority()— the URI carries the HTTP/2:authoritypseudo-header inhyper’s normalised request form. - If both absent and the allowlist is non-empty, respond
400.
Closes api S-30. T19 perf re-order: layered OUTSIDE the trace layer
(and the CORS layer) so hostile Host probes are rejected before any
trace span is allocated or any traceparent propagator hop runs.
Still layered BEFORE bearer_auth so an attacker probing for valid
hosts cannot also probe for valid tokens. The probe router inherits
this gate too; operators with split-Host probes can simply omit the
env var. Rejected requests do NOT get a trace span and are NOT
counted by the HTTP metrics layer (which sits inside the trace
layer) — an intentional tradeoff so a hostile Host probe storm
cannot burn either trace budget or metric cardinality. See the
comment block in build_router_full.