In this line: <a href="https://github.com/brannondorsey/host-validation/blob/2ba4672b82e2d956dd8614c87e2d846505be18d6/index.js#L91" rel="nofollow">https://github.com/brannondorsey/host-validation/blob/2ba467...</a> use Array.some rather than iterating through all elements with Array.filter.<p>Then this: <a href="https://github.com/brannondorsey/host-validation/blob/2ba4672b82e2d956dd8614c87e2d846505be18d6/index.js#L28" rel="nofollow">https://github.com/brannondorsey/host-validation/blob/2ba467...</a> is not something I would recommend. Don't try to fix bad input.
Neat, thanks for raising awareness of this issue. I don't think it makes a lot of sense for the web server case (as you said, using TLS would fix it and that seems like the bigger concern), but if someone is building something like an electron app with a local server component then they ought to use this.<p>FWIW I think you can check just the Host header, it's always going to be present and can't be set by an attacker - referrer doesn't add anything extra and attackers can force requests with blank referrers.<p>Also all your example regexes are correctly anchored but I can see a developer shooting themselves in the foot with that - I'd maybe add some warnings around it or even programmatically enforce anchored regexes.<p>Anyhow thanks for the Show HN!
I understand validating the `Host` header but my understanding that the referer field is optional and theres quite a few users who either block referer headers for privacy/anti-tracking purposes. Would this stop those users from accessing the site also?