Addresses SSRF risk

2026-05-27 13:44:54 +00:00 · 2026-03-21 19:14:51 +01:00
parent d4e19646ee
commit 07757e747e
7 changed files with 124 additions and 4 deletions
--- a/.env.example
+++ b/.env.example
@@ -17,3 +17,7 @@ DB_PASSWORD=
 SESSION_DOMAIN=null
 SANCTUM_STATEFUL_DOMAIN=
 TRUSTED_PROXIES="*"
+
+# Dompdf: keep false so untrusted HTML in PDF notes cannot trigger outbound requests (SSRF).
+# Set true only if you fully trust all PDF HTML and need remote images/CSS.
+DOMPDF_ENABLE_REMOTE=false