DnsRebindingProtectionConfig

List of hostnames allowed in the Host header. Comparison is port-agnostic and case-insensitive. Defaults to localhost, 127.0.0.1, [::1]. An empty list will reject all requests.

Optional list of allowed Origin values. Entries are parsed as URLs (via parseUrl) and compared by hostname only — scheme and port are ignored. If null, origin validation is disabled. If configured, requests with an Origin header whose hostname is not in the list are rejected, but requests without an Origin header are allowed (non-browser clients).