doc: correct unsafe URL example in http docs
Co-authored-by: @astlouisf Co-authored-by: @samhh
The previous documentation example for converting request.url
to an URL
object was unsafe, as it could allow a server crash through malformed URL inputs and potentially enable host header attacks.
This commit revises the example to use string concatenation over the usage of the baseUrl
and removes the usage of the req.headers.host
as the authority part of the url, mitigating both the crash and security risks by ensuring the host part of the URL remains controlled and predictable.
Fixes #52494 (closed) Successor of #52536