fix: address PR review feedback

- Fix unreachable secure logic in getRenderingKey by removing default resolver.
- Correct JSDocs for host-based cache keys and getSafeHost fallback behavior.
- Fix case-sensitivity in TestEngineRunner request mock.
- Resolve type errors in default optimization options.

Author: l3tchupkt

core-libs/setup/ssr/express-utils/express-request-safe-host.ts

@@ -7,10 +7,15 @@
 import { Request } from 'express';
 
 /**
- * Returns a safe host from the request object.
+ * Returns a trusted host from the request object.
  *
- * It checks the `X-Forwarded-Host` header and validates it against the `allowedHosts` list.
- * If the header is missing, invalid, or not in the allowlist, it falls back to the `Host` header.
+ * It first checks the `X-Forwarded-Host` header and returns it only if it is valid
+ * and matches the `allowedHosts` list. If `X-Forwarded-Host` is missing, invalid,
+ * or not allowlisted, it then checks the `Host` header and returns it only if it is
+ * also valid and allowlisted.
+ *
+ * If neither header passes validation and allowlist checks, this function returns
+ * `undefined`, and callers should treat that as "no trusted host".
  *
  * @param req - Express Request object
  * @param allowedHosts - Optional list of allowed hosts
@@ -27,11 +32,7 @@ export function getSafeHost(req: Request, allowedHosts?: string[]): string | und
   const normalizedAllowedHosts = allowedHosts?.map(normalize);
 
   const isAllowed = (host: string, normalizedAllowed?: string[]): boolean => {
-    return (
-      normalizedAllowed?.some(
-        (allowed) => host === allowed || host.endsWith(`.${allowed}`)
-      ) ?? false
-    );
+    return normalizedAllowed?.some((allowed) => host === allowed) ?? false;
   };
 
   const extractFirst = (value?: string | string[]): string | undefined => {

core-libs/setup/ssr/optimized-engine/optimized-ssr-engine.spec.ts

@@ -109,8 +109,11 @@ class TestEngineRunner {
         protocol: 'https',
         originalUrl: url,
         headers: requestHeaders,
-        get: (header: string): string | string[] | null | undefined => {
-          return requestHeaders[header];
+        get: (header: string): any => {
+          const key = Object.keys(requestHeaders).find(
+            (k) => k.toLowerCase() === header.toLowerCase()
+          );
+          return key ? requestHeaders[key] : undefined;
         },
         app,
         connection: <Partial<Socket>>{},
@@ -645,6 +648,35 @@ describe('OptimizedSsrEngine', () => {
         ).toHaveBeenCalledWith(`${domain}:${route}`);
       }));
 
+      it('should use host header when x-forwarded-host is absent and host is allowlisted', fakeAsync(() => {
+        const domain = 'allowed.com';
+        const engineRunner = new TestEngineRunner({
+          timeout: 200,
+          cache: true,
+          useHostInCacheKey: true,
+          allowedHosts: [domain],
+        });
+
+        jest.spyOn(
+          engineRunner.optimizedSsrEngine as any,
+          'isConcurrencyLimitExceeded'
+        );
+
+        const route = 'home';
+
+        engineRunner.request(route, {
+          httpHeaders: {
+            host: domain,
+          },
+        });
+
+        tick(200);
+
+        expect(
+          engineRunner.optimizedSsrEngine['isConcurrencyLimitExceeded']
+        ).toHaveBeenCalledWith(`${domain}:${route}`);
+      }));
+
       it('should use only first value from comma-separated x-forwarded-host', fakeAsync(() => {
         const engineRunner = new TestEngineRunner({
           useHostInCacheKey: true,
@@ -698,7 +730,7 @@ describe('OptimizedSsrEngine', () => {
         ).toHaveBeenCalledWith(`${route}`);
       }));
 
-      it('should normalize hosts and support subdomains', fakeAsync(() => {
+      it('should normalize hosts but require strict matching (no implicit subdomains)', fakeAsync(() => {
         const engineRunner = new TestEngineRunner({
           useHostInCacheKey: true,
           allowedHosts: ['example.com'],
@@ -710,18 +742,31 @@ describe('OptimizedSsrEngine', () => {
         );
 
         const route = 'home';
-        // Test case, port, trailing dot AND subdomain
+        // Test case, port, and trailing dot with matching host
         engineRunner.request(route, {
           httpHeaders: {
-            'x-forwarded-host': 'WWW.EXAMPLE.com:443.',
+            'x-forwarded-host': 'EXAMPLE.com:443.',
+          },
+        });
+
+        // Test non-matching subdomain
+        engineRunner.request(route, {
+          httpHeaders: {
+            'x-forwarded-host': 'www.example.com',
           },
         });
 
         tick(200);
 
+        // First one matches because example.com is allowlisted
         expect(
           engineRunner.optimizedSsrEngine['isConcurrencyLimitExceeded']
-        ).toHaveBeenCalledWith('www.example.com:home');
+        ).toHaveBeenCalledWith('example.com:home');
+
+        // Second one falls back to path-only because subdomain is not implicitly allowed anymore
+        expect(
+          engineRunner.optimizedSsrEngine['isConcurrencyLimitExceeded']
+        ).toHaveBeenCalledWith('home');
       }));
 
       it('should reject invalid hostnames and too long hosts', fakeAsync(() => {

core-libs/setup/ssr/optimized-engine/ssr-optimization-options.ts

@@ -88,7 +88,7 @@ export interface SsrOptimizationOptions {
 
   /**
    * Allows overriding default key generator for custom differentiating
-   * between rendered pages. By default it uses the full request URL.
+   * between rendered pages. By default, it is host-independent (originalUrl).
    *
    * @param req
    */
@@ -207,7 +207,7 @@ export interface SsrOptimizationOptions {
   /**
    * Toggles using the host in the cache key.
    *
-   * By default, the host is not used in the cache key as it can be easily spoofed.
+   * By default, the cache key is host-independent (originalUrl) as the host header can be spoofed.
    * However, some deployments may require host-based cache keys (e.g., multi-domain setups).
    */
   useHostInCacheKey?: boolean;
@@ -216,7 +216,7 @@ export interface SsrOptimizationOptions {
    * List of allowed hosts for host-based cache keys.
    *
    * If `useHostInCacheKey` is set to true, only hosts in this list will be used in the cache key.
-   * If the host is not in this list, it will fallback to the value of the `Host` header.
+   * Returns undefined if neither `X-Forwarded-Host` nor `Host` matching this list is found (safe fallback).
    */
   allowedHosts?: string[];
 }
@@ -247,8 +247,12 @@ type DefaultSsrOptimizationOptions = Omit<
   Required<SsrOptimizationOptions>,
   | 'debug' // debug is deprecated and not used anymore
   | 'ttl' // ttl is required but its default value is `undefined`
+  | 'renderKeyResolver' // renderKeyResolver is optional and defaults to undefined to allow for secure default logic in the engine
+  | 'allowedHosts' // allowedHosts is optional and defaults to undefined
 > & {
   ttl: number | undefined; // needed, otherwise we could not set the value `ttl: undefined` value (due to the Required<...>)
+  renderKeyResolver: ((req: Request) => string) | undefined;
+  allowedHosts: string[] | undefined;
 } & DeepRequired<
     // all nested properties of `ssrFeatureToggles` are required too
     Pick<
@@ -274,9 +278,10 @@ export const defaultSsrOptimizationOptions: DefaultSsrOptimizationOptions = {
   ),
   logger: new DefaultExpressServerLogger(),
   shouldCacheRenderingResult: ({ entry: { err } }) => !err,
-  renderKeyResolver: getDefaultRenderKey,
+  renderKeyResolver: undefined,
   ssrFeatureToggles: {
     limitCacheByMemory: true,
   },
   useHostInCacheKey: false,
+  allowedHosts: undefined,
 };