docs(readme): document --use-x-forwarded-host and env var\n\nExplain when to enable, behavior (first value, comma-trimming, hostname-only, IPv6),\nand security considerations (trusted proxy).\n\nCo-authored-by: hugodutka <28019628+hugodutka@users.noreply.github.com>

blink-so[bot] · blink-so[bot] · commit 7f9234fab52e · 2025-08-09T08:46:16.000Z
diff --git a/README.md b/README.md
@@ -102,6 +102,8 @@ agentapi server --allowed-hosts 'example.com,example.org' -- claude
 AGENTAPI_ALLOWED_HOSTS='example.com example.org' agentapi server -- claude
 ```
 
+If you're running behind a trusted reverse proxy that sets the `X-Forwarded-Host` header, you can opt in to using that header for host authorization with `--use-x-forwarded-host` (or `AGENTAPI_USE_X_FORWARDED_HOST=true`). When enabled, the server prefers the first `X-Forwarded-Host` value (trimming anything after a comma), extracts the hostname (ignoring any port, supports IPv6 bracket literals), and matches it against the allowed host list. Leave this disabled unless your deployment terminates at a trusted proxy.
+
 #### Allowed origins
 
 By default, the server allows CORS requests from `http://localhost:3284`, `http://localhost:3000`, and `http://localhost:3001`. If you'd like to change which origins can make cross-origin requests to AgentAPI, you can change this by using the `AGENTAPI_ALLOWED_ORIGINS` environment variable or the `--allowed-origins` flag.
