originAllowed
originAllowed(
originHeader,allowedHosts,previewRange?):boolean
Defined in: src/validate.ts:676
Returns true when the request should be allowed through the CSRF origin check.
When previewRange is supplied, any Origin whose port falls in
[base, base + count) is rejected even if its hostname is allowlisted —
a preview app running on that port shares the HUD’s hostname and could
otherwise forge /api mutations (CSRF via blind cross-origin POST).
CLI / curl clients (no Origin header) are always allowed through.
Parameters
Section titled “Parameters”originHeader
Section titled “originHeader”string | null | undefined
allowedHosts
Section titled “allowedHosts”string[]
previewRange?
Section titled “previewRange?”number
number
Returns
Section titled “Returns”boolean