fix(@angular/ssr): add support for configuring trusted proxy headers via environment variable

alan-agius4 · alan-agius4 · commit 4a3e6d102c82 · 2026-04-27T07:05:17.000Z
Adds support for configuring trusted proxy headers via the `NG_TRUSTED_PROXY_HEADERS` environment variable in `AngularNodeAppEngine`.
This allows users to specify which proxy headers (such as `X-Forwarded-Host`) should be trusted when running the server-side application behind a reverse proxy, without needing to modify the application code. The environment variable accepts a comma-separated list of header names.
If the `NG_TRUSTED_PROXY_HEADERS` environment variable is set and contains non-empty values, it will take precedence over the `trustProxyHeaders` option provided programmatically in the `AngularNodeAppEngine` constructor options.
diff --git a/packages/angular/ssr/node/src/app-engine.ts b/packages/angular/ssr/node/src/app-engine.ts
@@ -10,7 +10,7 @@ import { AngularAppEngine } from '@angular/ssr';
 import type { IncomingMessage } from 'node:http';
 import type { Http2ServerRequest } from 'node:http2';
 import { AngularAppEngineOptions } from '../../src/app-engine';
-import { getAllowedHostsFromEnv } from './environment-options';
+import { getAllowedHostsFromEnv, getTrustedProxyHeadersFromEnv } from './environment-options';
 import { attachNodeGlobalErrorHandlers } from './errors';
 import { createWebRequestFromNodeRequest } from './request';
 
@@ -40,7 +40,11 @@ export class AngularNodeAppEngine {
       ...options,
       allowedHosts: [...getAllowedHostsFromEnv(), ...(options?.allowedHosts ?? [])],
     });
-    this.trustProxyHeaders = options?.trustProxyHeaders;
+
+    const envTrustedProxyHeaders = getTrustedProxyHeadersFromEnv();
+    this.trustProxyHeaders = envTrustedProxyHeaders.length
+      ? envTrustedProxyHeaders
+      : options?.trustProxyHeaders;
 
     attachNodeGlobalErrorHandlers();
   }
diff --git a/packages/angular/ssr/node/src/environment-options.ts b/packages/angular/ssr/node/src/environment-options.ts
@@ -11,19 +11,30 @@
  * @returns An array of allowed hosts.
  */
 export function getAllowedHostsFromEnv(): ReadonlyArray<string> {
-  const allowedHosts: string[] = [];
-  const envNgAllowedHosts = process.env['NG_ALLOWED_HOSTS'];
-  if (!envNgAllowedHosts) {
-    return allowedHosts;
+  return getArrayFromEnv('NG_ALLOWED_HOSTS');
+}
+
+/**
+ * Retrieves the list of trusted proxy headers from the environment variable `NG_TRUSTED_PROXY_HEADERS`.
+ * @returns An array of trusted proxy headers.
+ */
+export function getTrustedProxyHeadersFromEnv(): ReadonlyArray<string> {
+  return getArrayFromEnv('NG_TRUSTED_PROXY_HEADERS');
+}
+
+function getArrayFromEnv(envName: string): ReadonlyArray<string> {
+  const envValue = process.env[envName];
+  if (!envValue) {
+    return [];
   }
 
-  const hosts = envNgAllowedHosts.split(',');
-  for (const host of hosts) {
-    const trimmed = host.trim();
+  const values: string[] = [];
+  for (const value of envValue.split(',')) {
+    const trimmed = value.trim();
     if (trimmed.length > 0) {
-      allowedHosts.push(trimmed);
+      values.push(trimmed);
     }
   }
 
-  return allowedHosts;
+  return values;
 }
