[GH-ISSUE #7502] Clarification: Is baseURL necessary when trustedOrigins is configured? #10827

New Issue

GiteaMirror · 2026-04-13T07:11:35-05:00

GiteaMirror commented

2026-04-13 07:11:35 -05:00

Originally created by @issam-seghir on GitHub (Jan 20, 2026).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/7502

Question

I'm trying to understand the relationship between baseURL and trustedOrigins configuration options, and whether baseURL can be omitted entirely when trustedOrigins is properly configured.

Context

According to the documentation:

baseURL is used for generating callback URLs (OAuth, email verification, password reset)
trustedOrigins is the primary CSRF protection mechanism that validates Origin headers

The docs state:

If baseURL is not explicitly set, the system first checks for the BETTER_AUTH_URL environment variable. If that's also not set, the baseURL is inferred from the incoming request.

However, the docs also say:

However, relying on request inference is not recommended; for security and stability, baseURL should always be explicitly set.

Current Setup

We have a comprehensive trustedOrigins configuration covering:

Production domains
Staging/preview domains
Development ports (3000-3010, 5000-5010, 8000-8010)
Dev tunnels
Local network IPs

Currently using:

export const auth = betterAuth({
    // No explicit baseURL - letting Better Auth infer from request
    trustedOrigins: getTrustedOrigins(), // Returns 100+ origins
    // ... other config
});

Questions

Is baseURL actually necessary if trustedOrigins is comprehensively configured and handles all CSRF protection?
What are the specific security/stability risks of relying on request inference when trustedOrigins validates every request?
Does omitting baseURL have any implications beyond URL generation that aren't obvious from the documentation?
Is there a recommended pattern for development workflows where developers frequently switch between:
- Different localhost ports (3000, 5000, 8080, etc.)
- Dev tunnels (devtunnels.ms, ngrok, etc.)
- Local network IPs for mobile testing

Why This Matters

Having to set baseURL explicitly creates friction in development:

Requires env changes every time switching ports/tunnels
Defeats the purpose of having comprehensive trustedOrigins
Request inference seems to work perfectly for generating callback URLs

Since trustedOrigins already provides the security layer (CSRF protection, origin validation, Fetch Metadata protection), it's unclear why explicit baseURL is "highly recommended" beyond URL generation, which request inference handles automatically.

Expected Behavior

Ideally, documentation would clarify:

Whether baseURL omission is safe with proper trustedOrigins
Specific scenarios where explicit baseURL is required (beyond "recommended")
Best practices for dynamic development environments

Thank you for your guidance!

Originally created by @issam-seghir on GitHub (Jan 20, 2026). Original GitHub issue: https://github.com/better-auth/better-auth/issues/7502 ## Question I'm trying to understand the relationship between `baseURL` and `trustedOrigins` configuration options, and whether `baseURL` can be omitted entirely when `trustedOrigins` is properly configured. ## Context According to the documentation: 1. **`baseURL`** is used for generating callback URLs (OAuth, email verification, password reset) 2. **`trustedOrigins`** is the primary CSRF protection mechanism that validates Origin headers The docs state: > If `baseURL` is not explicitly set, the system first checks for the `BETTER_AUTH_URL` environment variable. If that's also not set, the `baseURL` is inferred from the incoming request. However, the docs also say: > However, relying on request inference is not recommended; for security and stability, `baseURL` should always be explicitly set. ## Current Setup We have a comprehensive `trustedOrigins` configuration covering: - Production domains - Staging/preview domains - Development ports (3000-3010, 5000-5010, 8000-8010) - Dev tunnels - Local network IPs Currently using: ```typescript export const auth = betterAuth({ // No explicit baseURL - letting Better Auth infer from request trustedOrigins: getTrustedOrigins(), // Returns 100+ origins // ... other config }); ``` ## Questions 1. **Is `baseURL` actually necessary** if `trustedOrigins` is comprehensively configured and handles all CSRF protection? 2. **What are the specific security/stability risks** of relying on request inference when `trustedOrigins` validates every request? 3. **Does omitting `baseURL` have any implications** beyond URL generation that aren't obvious from the documentation? 4. **Is there a recommended pattern** for development workflows where developers frequently switch between: - Different localhost ports (3000, 5000, 8080, etc.) - Dev tunnels (devtunnels.ms, ngrok, etc.) - Local network IPs for mobile testing ## Why This Matters Having to set `baseURL` explicitly creates friction in development: - Requires env changes every time switching ports/tunnels - Defeats the purpose of having comprehensive `trustedOrigins` - Request inference seems to work perfectly for generating callback URLs Since `trustedOrigins` already provides the security layer (CSRF protection, origin validation, Fetch Metadata protection), it's unclear why explicit `baseURL` is "highly recommended" beyond URL generation, which request inference handles automatically. ## Expected Behavior Ideally, documentation would clarify: - Whether `baseURL` omission is safe with proper `trustedOrigins` - Specific scenarios where explicit `baseURL` is required (beyond "recommended") - Best practices for dynamic development environments Thank you for your guidance!

GiteaMirror added the locked label 2026-04-13 07:11:35 -05:00

GiteaMirror closed this issue

2026-04-13 07:11:35 -05:00

GiteaMirror commented

2026-04-13 07:11:36 -05:00

@better-auth-agent[bot] commented on GitHub (Jan 20, 2026):

Hi there! Thanks for your detailed question about the baseURL and trustedOrigins configuration options in Better Auth.

Is baseURL actually necessary if trustedOrigins is comprehensively configured?
While trustedOrigins can handle CSRF protection, having baseURL explicitly set is strongly recommended for security and stability reasons. It ensures that callbacks (like OAuth and password resets) are correctly generated and avoids potential issues with inferred values, particularly in production environments [1].
What are the specific security/stability risks of relying on request inference?
Relying on inferred baseURL can lead to undefined behavior, especially if the incoming request doesn’t match expected patterns. For example, in the absence of an explicitly defined baseURL, session cookies may lack important security flags (like the Secure flag when in production) [3].
Does omitting baseURL have any implications beyond URL generation?
Yes, not specifying baseURL can impact cookie security and the proper functioning of features that rely on predictable callback URLs. It's possible to encounter unexpected behaviors or errors if the request does not match the inferred origin, which can lead to security vulnerabilities [1][3].
Is there a recommended pattern for dynamic development workflows?
Using environment variables for baseURL is common, but it can create friction in development settings where ports frequently change. An enhancement proposal suggests allowing baseURL to accept a function that can derive it from requests, similar to how trustedOrigins works. This would offer flexibility in dynamic environments [2].

To summarize, while extensive trustedOrigins configuration is helpful, explicitly defining baseURL is critical for ensuring secure and stable authentication flows.

Do you have any specific scenarios in your development workflow where you're experiencing issues related to these configurations? I'd love to hear more!

If you need more help, tag @better-auth-agent in a comment so I can respond.

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Jan 20, 2026): Hi there! Thanks for your detailed question about the `baseURL` and `trustedOrigins` configuration options in Better Auth. 1. **Is `baseURL` actually necessary if `trustedOrigins` is comprehensively configured?** While `trustedOrigins` can handle CSRF protection, having `baseURL` explicitly set is strongly recommended for security and stability reasons. It ensures that callbacks (like OAuth and password resets) are correctly generated and avoids potential issues with inferred values, particularly in production environments [[1]](https://github.com/better-auth/better-auth/pull/6882). 2. **What are the specific security/stability risks of relying on request inference?** Relying on inferred `baseURL` can lead to undefined behavior, especially if the incoming request doesn’t match expected patterns. For example, in the absence of an explicitly defined `baseURL`, session cookies may lack important security flags (like the Secure flag when in production) [[3]](https://github.com/better-auth/better-auth/issues/7156). 3. **Does omitting `baseURL` have any implications beyond URL generation?** Yes, not specifying `baseURL` can impact cookie security and the proper functioning of features that rely on predictable callback URLs. It's possible to encounter unexpected behaviors or errors if the request does not match the inferred origin, which can lead to security vulnerabilities [[1]](https://github.com/better-auth/better-auth/pull/6882)[[3]](https://github.com/better-auth/better-auth/issues/7156). 4. **Is there a recommended pattern for dynamic development workflows?** Using environment variables for `baseURL` is common, but it can create friction in development settings where ports frequently change. An enhancement proposal suggests allowing `baseURL` to accept a function that can derive it from requests, similar to how `trustedOrigins` works. This would offer flexibility in dynamic environments [[2]](https://github.com/better-auth/better-auth/issues/4151). To summarize, while extensive `trustedOrigins` configuration is helpful, explicitly defining `baseURL` is critical for ensuring secure and stable authentication flows. Do you have any specific scenarios in your development workflow where you're experiencing issues related to these configurations? I'd love to hear more! _If you need more help, tag @better-auth-agent in a comment so I can respond._  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-04-13 07:11:37 -05:00

@issam-seghir commented on GitHub (Jan 20, 2026):

@better-auth-agent Thanks for the detailed explanation! I understand the importance of explicit baseURL for security and stability.

The Core Problem

My specific pain point is that baseURL doesn't accept an array, which creates friction in our development workflow. We frequently switch between:

Localhost ports: http://localhost:3000, http://localhost:5000, http://localhost:8080, etc.
Dev tunnels: https://ghgg1z2v-3000.euw.devtunnels.ms, https://sqf0q86p-3000.uks1.devtunnels.ms
Different developer machines: Each developer may use different ports or tunnel URLs

Currently, this requires changing the BETTER_AUTH_URL environment variable every single time we switch between these scenarios, which is very disruptive to the development flow.

Current Setup

We have comprehensive trustedOrigins configured with 100+ origins covering:

trustedOrigins: [
  // All localhost ports 3000-3010, 5000-5010, 8000-8010 (both http/https)
  // All dev tunnel URLs
  // Production domains
  // Staging domains
]

All these origins are already validated and trusted for CSRF protection, but we still need to manually update baseURL to match whichever environment we're currently using.

Ideal Solution

You mentioned an enhancement proposal for baseURL to accept a function (similar to trustedOrigins). This would be perfect for our use case:

export const auth = betterAuth({
  baseURL: async (request) => {
    // Return the origin from the incoming request
    // Still secure because trustedOrigins validates it
    return request?.headers?.get('host') 
      ? `${request.headers.get('x-forwarded-proto') || 'http'}://${request.headers.get('host')}`
      : process.env.FALLBACK_URL;
  },
  trustedOrigins: getTrustedOrigins(), // 100+ validated origins
});

Questions

Is there a recommended workaround for dynamic development environments until the function-based baseURL is implemented?
Would omitting baseURL entirely work if we have comprehensive trustedOrigins? You mentioned it can lead to undefined behavior, but could you elaborate on specific failure scenarios?
Is the function-based baseURL enhancement on the roadmap? If so, is there an estimated timeline or PR we could follow/contribute to?

Our current workaround is to omit baseURL and let it infer from requests, but given your security concerns, I'd like to understand the specific risks we're taking.

Thank you!

@issam-seghir commented on GitHub (Jan 20, 2026): @better-auth-agent Thanks for the detailed explanation! I understand the importance of explicit `baseURL` for security and stability. ## The Core Problem My specific pain point is that **`baseURL` doesn't accept an array**, which creates friction in our development workflow. We frequently switch between: - **Localhost ports**: `http://localhost:3000`, `http://localhost:5000`, `http://localhost:8080`, etc. - **Dev tunnels**: `https://ghgg1z2v-3000.euw.devtunnels.ms`, `https://sqf0q86p-3000.uks1.devtunnels.ms` - **Different developer machines**: Each developer may use different ports or tunnel URLs Currently, this requires changing the `BETTER_AUTH_URL` environment variable **every single time** we switch between these scenarios, which is very disruptive to the development flow. ## Current Setup We have comprehensive `trustedOrigins` configured with **100+ origins** covering: ```typescript trustedOrigins: [ // All localhost ports 3000-3010, 5000-5010, 8000-8010 (both http/https) // All dev tunnel URLs // Production domains // Staging domains ] ``` All these origins are already validated and trusted for CSRF protection, but we still need to manually update `baseURL` to match whichever environment we're currently using. ## Ideal Solution You mentioned an enhancement proposal for `baseURL` to accept a function (similar to `trustedOrigins`). This would be **perfect** for our use case: ```typescript export const auth = betterAuth({ baseURL: async (request) => { // Return the origin from the incoming request // Still secure because trustedOrigins validates it return request?.headers?.get('host') ? `${request.headers.get('x-forwarded-proto') || 'http'}://${request.headers.get('host')}` : process.env.FALLBACK_URL; }, trustedOrigins: getTrustedOrigins(), // 100+ validated origins }); ``` ## Questions 1. **Is there a recommended workaround** for dynamic development environments until the function-based `baseURL` is implemented? 2. **Would omitting `baseURL` entirely** work if we have comprehensive `trustedOrigins`? You mentioned it can lead to undefined behavior, but could you elaborate on specific failure scenarios? 3. **Is the function-based `baseURL` enhancement** on the roadmap? If so, is there an estimated timeline or PR we could follow/contribute to? Our current workaround is to omit `baseURL` and let it infer from requests, but given your security concerns, I'd like to understand the specific risks we're taking. Thank you!

GiteaMirror commented

2026-04-13 07:11:37 -05:00

@better-auth-agent[bot] commented on GitHub (Jan 20, 2026):

Hi there! I'd be happy to help address your questions regarding the configuration of baseURL and trustedOrigins in Better Auth.

Is there a recommended workaround for dynamic development environments until the function-based baseURL is implemented?
Currently, the best practice is to manually set baseURL as there isn't yet a built-in function to handle this dynamically. However, you might explore using a script that updates the environment variable based on the context you're working in.
Would omitting baseURL entirely work if we have comprehensive trustedOrigins?
While it is technically possible to omit baseURL, doing so can lead to undefined behavior, particularly in production and multi-domain setups. It's recommended to set an explicit baseURL for better security and to avoid issues like incorrect redirect URIs, especially since relying on inferred values could result in missing security flags in cookies [2], [3].
Is the function-based baseURL enhancement on the roadmap?
Yes, there is an ongoing proposal for a function-based approach for baseURL, similar to trustedOrigins, but it is still in the enhancement discussion phase. There’s no final timeline yet, but you can follow the related issue on GitHub for updates [2].

It's great to see your engagement with Better Auth! Do you have any other questions regarding integration or best practices?

Diagram • Discord • GitHub

@better-auth-agent[bot] commented on GitHub (Jan 20, 2026): Hi there! I'd be happy to help address your questions regarding the configuration of `baseURL` and `trustedOrigins` in Better Auth. 1. **Is there a recommended workaround for dynamic development environments until the function-based `baseURL` is implemented?** Currently, the best practice is to manually set `baseURL` as there isn't yet a built-in function to handle this dynamically. However, you might explore using a script that updates the environment variable based on the context you're working in. 2. **Would omitting `baseURL` entirely work if we have comprehensive `trustedOrigins`?** While it is technically possible to omit `baseURL`, doing so can lead to undefined behavior, particularly in production and multi-domain setups. It's recommended to set an explicit `baseURL` for better security and to avoid issues like incorrect redirect URIs, especially since relying on inferred values could result in missing security flags in cookies [[2]](https://github.com/better-auth/better-auth/issues/4151), [[3]](https://github.com/better-auth/better-auth/pull/6797). 3. **Is the function-based `baseURL` enhancement on the roadmap?** Yes, there is an ongoing proposal for a function-based approach for `baseURL`, similar to `trustedOrigins`, but it is still in the enhancement discussion phase. There’s no final timeline yet, but you can follow the related issue on GitHub for updates [[2]](https://github.com/better-auth/better-auth/issues/4151). It's great to see your engagement with Better Auth! Do you have any other questions regarding integration or best practices?  [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)

GiteaMirror commented

2026-04-13 07:11:38 -05:00

@himself65 commented on GitHub (Jan 20, 2026):

Is baseURL necessary when trustedOrigins is configured?

Yes. And baseURL shouldn't be an array. It means for the URL of the auth server.

If you are asking about baseURL per reuqest, see https://github.com/better-auth/better-auth/issues/4151

@himself65 commented on GitHub (Jan 20, 2026): > Is `baseURL` necessary when trustedOrigins is configured? Yes. And baseURL shouldn't be an array. It means for the URL of the auth server. If you are asking about baseURL per reuqest, see https://github.com/better-auth/better-auth/issues/4151

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#10827

[GH-ISSUE #7502] Clarification: Is baseURL necessary when trustedOrigins is configured? #10827

Question

Context

Current Setup

Questions

Why This Matters

Expected Behavior

The Core Problem

Current Setup

Ideal Solution

Questions

[GH-ISSUE #7502] Clarification: Is `baseURL` necessary when `trustedOrigins` is configured? #10827