From 876ccdae5fb6be685fac6e7c43cfda7463e71d1b Mon Sep 17 00:00:00 2001
From: FuturMix <dev@futurmix.ai>
Date: Sun, 14 Jun 2026 12:20:57 +0800
Subject: [PATCH] fix(proxy): validate host against allowlist to prevent open
 redirect (fixes #65)

---
 apps/logicsrc-web/src/proxy.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/apps/logicsrc-web/src/proxy.ts b/apps/logicsrc-web/src/proxy.ts
index 4abbb77..3a319c0 100644
--- a/apps/logicsrc-web/src/proxy.ts
+++ b/apps/logicsrc-web/src/proxy.ts
@@ -4,12 +4,13 @@ import type { NextRequest } from "next/server";
 // Canonical host: 301 www.* to the bare apex domain over https, preserving
 // path + query (e.g. https://www.logicsrc.com/foo -> https://logicsrc.com/foo).
 // This is the Next 16 "proxy" (formerly middleware) entrypoint.
+const ALLOWED_APEX = process.env.PUBLIC_DOMAIN || "logicsrc.com";
+
 export function proxy(request: NextRequest): NextResponse {
   const host = request.headers.get("host") ?? "";
-  if (host.startsWith("www.")) {
-    const apexHost = host.slice("www.".length);
+  if (host === `www.${ALLOWED_APEX}`) {
     const { pathname, search } = request.nextUrl;
-    return NextResponse.redirect(`https://${apexHost}${pathname}${search}`, 301);
+    return NextResponse.redirect(`https://${ALLOWED_APEX}${pathname}${search}`, 301);
   }
   return NextResponse.next();
 }