From a3671edddb7c91fcfa0b7fe47df4dc250520e70f Mon Sep 17 00:00:00 2001
From: Raees Iqbal <10067728+RaeesBhatti@users.noreply.github.com>
Date: Wed, 11 Mar 2026 04:24:35 -0700
Subject: [PATCH] docs: remove unvalidated Host header examples from baseURL
 docs

Replace raw `request.headers.get("host")` examples with safer
alternatives to avoid encouraging host-header injection patterns.
---
 docs/content/docs/concepts/cookies.mdx          |  8 +++++---
 docs/content/docs/concepts/dynamic-base-url.mdx | 15 ++-------------
 2 files changed, 7 insertions(+), 16 deletions(-)

diff --git a/docs/content/docs/concepts/cookies.mdx b/docs/content/docs/concepts/cookies.mdx
index f206ac0222..484d324a89 100644
--- a/docs/content/docs/concepts/cookies.mdx
+++ b/docs/content/docs/concepts/cookies.mdx
@@ -88,9 +88,9 @@ When using a [dynamic base URL](/docs/concepts/dynamic-base-url) (allowed hosts
 import { betterAuth } from "better-auth"
 
 export const auth = betterAuth({
-    baseURL: (request) => {
-        const host = request.headers.get("host");
-        return `https://${host}`;
+    baseURL: {
+        allowedHosts: ["auth.example1.com", "auth.example2.com"],
+        protocol: "https",
     },
     advanced: {
         crossSubDomainCookies: {
@@ -101,6 +101,8 @@ export const auth = betterAuth({
 })
 ```
 
+This also works with [function-based baseURL](/docs/concepts/dynamic-base-url#function-based-resolution) for multi-tenant setups. See the Dynamic Base URL documentation for examples and security guidance.
+
 ### Secure Cookies
 
 By default, cookies are secure only when the server is running in production mode. You can force cookies to be always secure by setting `useSecureCookies` to `true` in the `advanced` object in the auth options.
diff --git a/docs/content/docs/concepts/dynamic-base-url.mdx b/docs/content/docs/concepts/dynamic-base-url.mdx
index 354dcc0c75..61f2f4201b 100644
--- a/docs/content/docs/concepts/dynamic-base-url.mdx
+++ b/docs/content/docs/concepts/dynamic-base-url.mdx
@@ -241,20 +241,9 @@ With a static `baseURL` string, `crossSubDomainCookies` derives the domain from
 
 ## Function-Based Resolution
 
-For multi-tenant and white-label applications where valid domains aren't known at deploy time, you can pass a function that resolves the base URL from each request:
+For multi-tenant and white-label applications where valid domains aren't known at deploy time, you can pass a function that resolves the base URL from each request. The function receives the incoming `Request` and must return a URL string.
 
-```ts title="auth.ts"
-import { betterAuth } from "better-auth"
-
-export const auth = betterAuth({
-    baseURL: (request) => {
-        const host = request.headers.get("host");
-        return `https://${host}`;
-    },
-})
-```
-
-The function receives the incoming `Request` and must return a URL string. It can also be async, making it possible to look up domains from a database:
+It can be async, making it possible to look up and validate domains from a database:
 
 ```ts title="auth.ts"
 import { betterAuth } from "better-auth"