github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-25 00:22:43 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

docs: remove unvalidated Host header examples from baseURL docs

Browse Source 
Replace raw `request.headers.get("host")` examples with safer
alternatives to avoid encouraging host-header injection patterns.
This commit is contained in:
Raees Iqbal
2026-03-11 04:24:35 -07:00
committed by Gustavo Valverde
parent d06f2d7dfc
commit a3671edddb
2 changed files with 7 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/content/docs/concepts/cookies.mdx
View File

@@ -88,9 +88,9 @@ When using a [dynamic base URL](/docs/concepts/dynamic-base-url) (allowed hosts
import { betterAuth } from "better-auth"
export const auth = betterAuth({
baseURL: (request) => {
const host = request.headers.get("host");
return `https://${host}`;
baseURL: {
allowedHosts: ["auth.example1.com", "auth.example2.com"],
protocol: "https",
},
advanced: {
crossSubDomainCookies: {
@@ -101,6 +101,8 @@ export const auth = betterAuth({
})
```
This also works with [function-based baseURL](/docs/concepts/dynamic-base-url#function-based-resolution) for multi-tenant setups. See the Dynamic Base URL documentation for examples and security guidance.
### Secure Cookies
By default, cookies are secure only when the server is running in production mode. You can force cookies to be always secure by setting `useSecureCookies` to `true` in the `advanced` object in the auth options.

15
docs/content/docs/concepts/dynamic-base-url.mdx
View File

@@ -241,20 +241,9 @@ With a static `baseURL` string, `crossSubDomainCookies` derives the domain from
## Function-Based Resolution
For multi-tenant and white-label applications where valid domains aren't known at deploy time, you can pass a function that resolves the base URL from each request:
For multi-tenant and white-label applications where valid domains aren't known at deploy time, you can pass a function that resolves the base URL from each request. The function receives the incoming `Request` and must return a URL string.
```ts title="auth.ts"
import { betterAuth } from "better-auth"
export const auth = betterAuth({
baseURL: (request) => {
const host = request.headers.get("host");
return `https://${host}`;
},
})
```
The function receives the incoming `Request` and must return a URL string. It can also be async, making it possible to look up domains from a database:
It can be async, making it possible to look up and validate domains from a database:
```ts title="auth.ts"
import { betterAuth } from "better-auth"