MCPcopy Index your code
hub / github.com/simstudioai/sim / isAllowedOrigin

Function isAllowedOrigin

apps/docs/app/api/chat/route.ts:141–161  ·  view source on GitHub ↗

* Reject obvious cross-origin calls. Same-origin browser requests send an * `Origin` header matching the host; we allow those, plus any host in * DOCS_ALLOWED_ORIGINS (comma-separated). Requests with no Origin (e.g. curl) * are allowed through to the cost caps rather than blocked, since Origin is

(req: Request)

Source from the content-addressed store, hash-verified

139 * trivially spoofable and is a filter, not a security boundary.
140 */
141function isAllowedOrigin(req: Request): boolean {
142 const origin = req.headers.get('origin')
143 if (!origin) return true
144
145 let originHost: string
146 try {
147 originHost = new URL(origin).host.toLowerCase()
148 } catch {
149 return false
150 }
151
152 const forwardedHost = req.headers.get('x-forwarded-host') ?? req.headers.get('host')
153 const requestHost = forwardedHost?.split(',')[0].trim().toLowerCase()
154 if (requestHost && originHost === requestHost) return true
155
156 const allowlist = (process.env.DOCS_ALLOWED_ORIGINS ?? '')
157 .split(',')
158 .map((value) => value.trim().toLowerCase())
159 .filter(Boolean)
160 return allowlist.includes(originHost)
161}
162
163const SYSTEM_PROMPT = `You are the documentation assistant for Sim — the open-source AI workspace where teams build, deploy, and manage AI agents.
164

Callers 1

POSTFunction · 0.85

Calls 1

getMethod · 0.65

Tested by

no test coverage detected