Host Validation & Cache-Control

Host Validation (Allowed Hosts)

How it works

Compares the request Host header against ALLOWED_HOSTS
Blocks requests with a non-allowed host (HTTP 400)
Protects against Host Header Injection attacks

`.env` Configuration

# Allowed hosts (comma-separated)
ALLOWED_HOSTS=localhost,127.0.0.1,example.com

# Supported patterns:
# localhost       → exact match
# .example.com   → matches example.com AND *.example.com
# *              → ALL hosts (⚠️ DANGEROUS in production!)

Debug mode

With DEBUG=true, host validation is disabled by default to make development easier.

Cache-Control

Development mode (`DEBUG=true`)

no-cache headers are added to force reloads:

Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache

Production mode (`DEBUG=false`)

Caching headers are enabled for performance.

Variable	Default	Description
`SECRETE_KEY`	(required)	Secret key for CSRF
`ALLOWED_HOSTS`	`*`	Allowed hosts
`DEBUG`	`true`	Debug mode (affects cache, hosts)
`RUNIQUE_ENABLE_HOST_VALIDATION`	(auto)	Force host validation
`RUNIQUE_ENABLE_CACHE`	(auto)	Force cache control

Host Validation & Cache-Control

Host Validation (Allowed Hosts)

How it works

.env Configuration

Debug mode

Cache-Control

Development mode (DEBUG=true)

Production mode (DEBUG=false)

Security-related environment variables

`.env` Configuration

Development mode (`DEBUG=true`)

Production mode (`DEBUG=false`)