Skip to main content
← Back to list
01Issue
FeatureShippedSwamp CLI
Assigneesstack72

Relationships

#994 Add --trusted-hosts flag to swamp serve for Docker/Kubernetes worker connections

Opened by stack72 · 7/6/2026· Shipped 7/6/2026

Summary

When `swamp serve` binds to `0.0.0.0` with TLS + auth, WebSocket connections from Docker containers and Kubernetes pods are rejected with "untrusted host: host.docker.internal:9090" because the Host header validation only trusts `localhost`, `127.0.0.1`, `::1`, and the literal bind address.

This blocks every Docker and Kubernetes fleet deployment where workers connect via platform-specific hostnames.

Fix

Add a `--trusted-hosts` flag (and `SWAMP_TRUSTED_HOSTS` env var) that lets operators explicitly whitelist hostnames for the Host header validation:

```bash swamp serve --host 0.0.0.0 \ --trusted-hosts host.docker.internal,host.minikube.internal \ --cert-file server.crt --key-file server.key --auth-mode token ```

This preserves the DNS rebinding defense (Host header is still validated) while letting operators whitelist the specific hostnames their workers use.

Changes

  • `src/cli/commands/serve.ts`: Add `--trusted-hosts hosts:string` flag, parse as comma-separated list, pass to `validateWebSocketOrigin`
  • `validateWebSocketOrigin`: Accept optional `trustedHosts: string[]` parameter, add to the `TRUSTED_HOSTS` set
  • Env var: `SWAMP_TRUSTED_HOSTS` (comma-separated)
  • Forward in daemon launcher args
02Bog Flow
OPENTRIAGEDIN PROGRESSSHIPPED+ 1 MOREASSIGNED+ 3 MOREFINDINGS+ 4 MOREPR_MERGED+ 1 MORENOTIFICATION_SKIPPED

Shipped

7/6/2026, 10:04:51 PM

Click a lifecycle step above to view its details.

03Sludge Pulse
stack72 assigned stack727/6/2026, 9:37:07 PM

Sign in to post a ripple.