From 2b2b25c060e29e2133f5a2209a19f23d53e7723d Mon Sep 17 00:00:00 2001 From: Jeremy Eder Date: Fri, 20 Mar 2026 15:55:40 -0400 Subject: [PATCH] docs: document ALLOWED_HTTP_HOSTS env var in DEPLOYMENT.md Add to Environment table and update Security Notes to reflect the env var approach (replacing the old "edit mcp_server.py" guidance). Note that deploy.sh auto-injects the route hostname for OpenShift overlays. Co-Authored-By: Claude Opus 4.6 (1M context) --- docs/DEPLOYMENT.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md index 99ed1a8..c270333 100644 --- a/docs/DEPLOYMENT.md +++ b/docs/DEPLOYMENT.md @@ -197,6 +197,7 @@ deploy/deploy.sh apply --overlay openshift | `NAMESPACE` | Deploy to a specific namespace | | `IMAGE_REGISTRY` | Override container registry host (e.g., OpenShift internal registry route) | | `IMAGE` | Override full image reference for apply | +| `ALLOWED_HTTP_HOSTS` | Comma-separated hostnames allowed through DNS rebinding protection (auto-set by `deploy.sh` for OpenShift routes) | ```bash NAMESPACE=my-gps deploy/deploy.sh apply @@ -258,5 +259,5 @@ The workflow automatically creates a `quay-pull-secret` in the `gps-mcp-server` - The database is opened read-only (`?mode=ro`, `PRAGMA query_only = ON`) - No authentication required — GPS serves organizational data, not secrets - HTTP mode includes DNS rebinding protection (localhost, Docker internal only by default) +- Set `ALLOWED_HTTP_HOSTS` env var (comma-separated) to allow additional hostnames (e.g., OpenShift routes, reverse proxy hosts). `deploy.sh` auto-injects the route hostname for OpenShift overlays. - No TLS — use a reverse proxy or Route for TLS termination -- Add service hostnames to `ALLOWED_HTTP_HOSTS` in `mcp_server.py` if deploying behind a proxy