From c849e544634d827614379816a807906e77e3b19f Mon Sep 17 00:00:00 2001 From: "promptless[bot]" Date: Tue, 31 Mar 2026 23:11:59 +0000 Subject: [PATCH 1/8] Document Trusted Hosts regex format and validation Expand documentation for the Trusted Hosts configuration setting to: - Explain that regex patterns are required, not plain hostnames - Provide correct and incorrect examples - Document the new validation behavior that prevents invalid patterns - Add a caution warning about lockout risk Related to mautic/mautic PR #16006. --- docs/configuration/settings.rst | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/docs/configuration/settings.rst b/docs/configuration/settings.rst index d6995548..99bb4c07 100644 --- a/docs/configuration/settings.rst +++ b/docs/configuration/settings.rst @@ -70,8 +70,26 @@ Miscellaneous settings :width: 600 :alt: Screenshot showing Miscellaneous Settings Configuration in Mautic -* **Trusted hosts** - To explicitly allow the hosts that can send requests to Mautic. You can use regular expression and separate multiple hosts with a comma. i.e ``.*\.?example.com$``. If left empty, Mautic will respond to all hosts. - +* **Trusted hosts** - Explicitly allow hosts that can send requests to Mautic. This field requires regular expression patterns, not plain hostnames. Separate multiple patterns with a comma. + + For example, to allow requests from ``example.com``: + + - **Correct:** ``^example\.com$`` - anchored pattern that matches only example.com + - **Incorrect:** ``example.com`` - plain hostname won't work + + Additional examples: + + - ``^.*\.example\.com$`` - matches any subdomain of example.com + - ``^(www\.)?example\.com$`` - matches example.com with or without www + + Mautic validates your input and displays an error if the pattern isn't a valid regular expression. Invalid patterns won't save. + + If left empty, Mautic responds to all hosts. + +.. caution:: + + Enter values carefully. An invalid pattern could prevent access to your Mautic instance. If you get locked out, you'll need to manually edit the database or configuration file to fix the setting. + * **Trusted proxies** - To configure the IP addresses that Mautic should trust as proxies. This setting is mandatory when using Mautic behind an SSL terminating proxy. Separate multiple IP addresses by a comma. i.e ``127.0.0.1, 10.0.0.0/8, fc00::/7`` * **IP lookup service** - By default, Mautic uses :xref:`MaxMind's` database to identify the city of a website visitor, based on the location of the Internet Service Provider - ISP - for their IP address. From a49dc460b6b1787639792ac46c60038b2e09ad40 Mon Sep 17 00:00:00 2001 From: "promptless[bot]" Date: Thu, 2 Apr 2026 18:50:49 +0000 Subject: [PATCH 2/8] Resolve base-branch merge conflicts --- docs/configuration/settings.rst | 8 -------- 1 file changed, 8 deletions(-) diff --git a/docs/configuration/settings.rst b/docs/configuration/settings.rst index f0a1fcf7..55140095 100644 --- a/docs/configuration/settings.rst +++ b/docs/configuration/settings.rst @@ -74,7 +74,6 @@ Miscellaneous settings :width: 600 :alt: Screenshot showing Miscellaneous Settings Configuration in Mautic -<<<<<<< HEAD * **Trusted hosts** - Explicitly allow hosts that can send requests to Mautic. This field requires regular expression patterns, not plain hostnames. Separate multiple patterns with a comma. For example, to allow requests from ``example.com``: @@ -97,13 +96,6 @@ Miscellaneous settings * **Trusted proxies** - To configure the IP addresses that Mautic should trust as proxies. This setting is mandatory when using Mautic behind an SSL terminating proxy. Separate multiple IP addresses by a comma. i.e ``127.0.0.1, 10.0.0.0/8, fc00::/7`` -||||||| c97c206 -* **Trusted hosts** - To explicitly allow the hosts that can send requests to Mautic. You can use regular expression and separate multiple hosts with a comma. i.e ``.*\.?example.com$``. If left empty, Mautic will respond to all hosts. - -* **Trusted proxies** - To configure the IP addresses that Mautic should trust as proxies. This setting is mandatory when using Mautic behind an SSL terminating proxy. Separate multiple IP addresses by a comma. i.e ``127.0.0.1, 10.0.0.0/8, fc00::/7`` - -======= ->>>>>>> 7.1 * **IP lookup service** - By default, Mautic uses :xref:`MaxMind's` database to identify the city of a website visitor, based on the location of the Internet Service Provider - ISP - for their IP address. * **IP lookup service authentication** - To use any IP lookup service which requires authentication, enter your credentials. From 9cb60a3277c0460cb6fc439a140fac727be22d21 Mon Sep 17 00:00:00 2001 From: "promptless[bot]" Date: Tue, 21 Apr 2026 12:51:57 +0000 Subject: [PATCH 3/8] Fix Trusted Hosts documentation to match actual validation behavior The previous documentation incorrectly stated that Trusted Hosts requires regex patterns only. The merged PR #16006 actually accepts both: - Plain domain names (e.g., mautic.yourdomain.com) - Regex patterns for advanced matching (e.g., .*\.?trusted.com$) Also removes duplicate entries that were incorrectly placed in both CORS settings and Miscellaneous settings sections. --- docs/configuration/settings.rst | 34 +++++++++------------------------ 1 file changed, 9 insertions(+), 25 deletions(-) diff --git a/docs/configuration/settings.rst b/docs/configuration/settings.rst index 53fa175c..f796bb9a 100644 --- a/docs/configuration/settings.rst +++ b/docs/configuration/settings.rst @@ -59,11 +59,17 @@ Cross-Origin Resource Sharing - CORS - allows data to pass between your website * **Valid Domains** - A list of domains allowed to communicate with your Mautic instance. In the text box, list the exact URL of the top level domain you want to allow, one per line. For example: ``http://www.example.com`` tracks any activity on non-secure example.com pages, but ``https://www.example.com`` won't because this is only tracking on a secure ``https://`` website. -* **Trusted hosts** - To explicitly allow the hosts that can send requests to Mautic. You can use regular expression and separate multiple hosts with a comma. i.e ``.*\.?example.com$``. If left empty, Mautic will respond to all hosts. - +* **Trusted hosts** - Explicitly allow hosts that can send requests to Mautic. Enter the domain name where your Mautic is installed, such as ``mautic.yourdomain.com``. Separate multiple hosts with a comma. You can also use regular expressions for advanced matching, which Mautic encloses with ``/`` delimiters. For example, ``.*\.?trusted.com$`` becomes ``/.*\.?trusted.com$/``. If left empty, Mautic responds to all hosts. + + Mautic validates your input when you save. If a value isn't a valid domain name or regex pattern, you'll see an error message. + + .. caution:: + + Setting this incorrectly can prevent access to your Mautic instance. If you get locked out, you'll need to manually edit the database or configuration file to fix the setting. + * **Trusted proxies** - To configure the IP addresses that Mautic should trust as proxies. This setting is mandatory when using Mautic behind an SSL terminating proxy. Separate multiple IP addresses by a comma. i.e ``127.0.0.1, 10.0.0.0/8, fc00::/7`` -.. note:: +.. note:: In the Valid Domains field, don't include a slash at the end. For example, use ``https://www.example.com`` instead of ``https://www.example.com/``. @@ -74,28 +80,6 @@ Miscellaneous settings :width: 600 :alt: Screenshot showing Miscellaneous Settings Configuration in Mautic -* **Trusted hosts** - Explicitly allow hosts that can send requests to Mautic. This field requires regular expression patterns, not plain hostnames. Separate multiple patterns with a comma. - - For example, to allow requests from ``example.com``: - - - **Correct:** ``^example\.com$`` - anchored pattern that matches only example.com - - **Incorrect:** ``example.com`` - plain hostname won't work - - Additional examples: - - - ``^.*\.example\.com$`` - matches any subdomain of example.com - - ``^(www\.)?example\.com$`` - matches example.com with or without www - - Mautic validates your input and displays an error if the pattern isn't a valid regular expression. Invalid patterns won't save. - - If left empty, Mautic responds to all hosts. - -.. caution:: - - Enter values carefully. An invalid pattern could prevent access to your Mautic instance. If you get locked out, you'll need to manually edit the database or configuration file to fix the setting. - -* **Trusted proxies** - To configure the IP addresses that Mautic should trust as proxies. This setting is mandatory when using Mautic behind an SSL terminating proxy. Separate multiple IP addresses by a comma. i.e ``127.0.0.1, 10.0.0.0/8, fc00::/7`` - * **IP lookup service** - By default, Mautic uses :xref:`MaxMind's` database to identify the city of a website visitor, based on the location of the Internet Service Provider - ISP - for their IP address. * **IP lookup service authentication** - To use any IP lookup service which requires authentication, enter your credentials. From 41318ac0333981894d03d7b3a196c0618faafa06 Mon Sep 17 00:00:00 2001 From: "promptless[bot]" Date: Wed, 22 Apr 2026 09:50:46 +0000 Subject: [PATCH 4/8] Address review feedback: use active voice Apply reviewer suggestions to remove "will" and use more direct active voice in the Trusted Hosts validation documentation. --- docs/configuration/settings.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuration/settings.rst b/docs/configuration/settings.rst index f796bb9a..684f567a 100644 --- a/docs/configuration/settings.rst +++ b/docs/configuration/settings.rst @@ -61,11 +61,11 @@ Cross-Origin Resource Sharing - CORS - allows data to pass between your website * **Trusted hosts** - Explicitly allow hosts that can send requests to Mautic. Enter the domain name where your Mautic is installed, such as ``mautic.yourdomain.com``. Separate multiple hosts with a comma. You can also use regular expressions for advanced matching, which Mautic encloses with ``/`` delimiters. For example, ``.*\.?trusted.com$`` becomes ``/.*\.?trusted.com$/``. If left empty, Mautic responds to all hosts. - Mautic validates your input when you save. If a value isn't a valid domain name or regex pattern, you'll see an error message. + Mautic validates your input during the save process. Invalid domain names or regex patterns trigger an error message. .. caution:: - Setting this incorrectly can prevent access to your Mautic instance. If you get locked out, you'll need to manually edit the database or configuration file to fix the setting. + Incorrect settings can prevent access to your Mautic instance. Getting locked out requires manually editing the database or configuration file to fix the setting. * **Trusted proxies** - To configure the IP addresses that Mautic should trust as proxies. This setting is mandatory when using Mautic behind an SSL terminating proxy. Separate multiple IP addresses by a comma. i.e ``127.0.0.1, 10.0.0.0/8, fc00::/7`` From 4f706598c8cc2f23f5e11f5f4f5ac3ca3ea70375 Mon Sep 17 00:00:00 2001 From: "promptless[bot]" Date: Thu, 23 Apr 2026 08:03:08 +0000 Subject: [PATCH 5/8] Address reviewer feedback on Trusted Hosts documentation - Use 'regular expression' instead of 'regex' per Vale style guide - Fix caution admonition indentation to 3 spaces --- docs/configuration/settings.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/configuration/settings.rst b/docs/configuration/settings.rst index 684f567a..77374af9 100644 --- a/docs/configuration/settings.rst +++ b/docs/configuration/settings.rst @@ -61,11 +61,11 @@ Cross-Origin Resource Sharing - CORS - allows data to pass between your website * **Trusted hosts** - Explicitly allow hosts that can send requests to Mautic. Enter the domain name where your Mautic is installed, such as ``mautic.yourdomain.com``. Separate multiple hosts with a comma. You can also use regular expressions for advanced matching, which Mautic encloses with ``/`` delimiters. For example, ``.*\.?trusted.com$`` becomes ``/.*\.?trusted.com$/``. If left empty, Mautic responds to all hosts. - Mautic validates your input during the save process. Invalid domain names or regex patterns trigger an error message. + Mautic validates your input during the save process. Invalid domain names or regular expression patterns trigger an error message. .. caution:: - Incorrect settings can prevent access to your Mautic instance. Getting locked out requires manually editing the database or configuration file to fix the setting. + Incorrect settings can prevent access to your Mautic instance. Getting locked out requires manually editing the database or configuration file to fix the setting. * **Trusted proxies** - To configure the IP addresses that Mautic should trust as proxies. This setting is mandatory when using Mautic behind an SSL terminating proxy. Separate multiple IP addresses by a comma. i.e ``127.0.0.1, 10.0.0.0/8, fc00::/7`` From 3643f28ac7d4e4f5b32eac1d2733cb2b1d6cb6e1 Mon Sep 17 00:00:00 2001 From: "promptless[bot]" Date: Thu, 23 Apr 2026 08:09:58 +0000 Subject: [PATCH 6/8] Apply reviewer feedback: use active voice for Trusted hosts Change "where your Mautic is installed" to "where you installed Mautic" per reviewer request. --- docs/configuration/settings.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration/settings.rst b/docs/configuration/settings.rst index 77374af9..e2785f04 100644 --- a/docs/configuration/settings.rst +++ b/docs/configuration/settings.rst @@ -59,7 +59,7 @@ Cross-Origin Resource Sharing - CORS - allows data to pass between your website * **Valid Domains** - A list of domains allowed to communicate with your Mautic instance. In the text box, list the exact URL of the top level domain you want to allow, one per line. For example: ``http://www.example.com`` tracks any activity on non-secure example.com pages, but ``https://www.example.com`` won't because this is only tracking on a secure ``https://`` website. -* **Trusted hosts** - Explicitly allow hosts that can send requests to Mautic. Enter the domain name where your Mautic is installed, such as ``mautic.yourdomain.com``. Separate multiple hosts with a comma. You can also use regular expressions for advanced matching, which Mautic encloses with ``/`` delimiters. For example, ``.*\.?trusted.com$`` becomes ``/.*\.?trusted.com$/``. If left empty, Mautic responds to all hosts. +* **Trusted hosts** - Explicitly allow hosts that can send requests to Mautic. Enter the domain name where you installed Mautic, such as ``mautic.yourdomain.com``. Separate multiple hosts with a comma. You can also use regular expressions for advanced matching, which Mautic encloses with ``/`` delimiters. For example, ``.*\.?trusted.com$`` becomes ``/.*\.?trusted.com$/``. If left empty, Mautic responds to all hosts. Mautic validates your input during the save process. Invalid domain names or regular expression patterns trigger an error message. From 20acc1bf5b5b78e3d4ca029d99daf4f7f44f4496 Mon Sep 17 00:00:00 2001 From: "promptless[bot]" Date: Thu, 23 Apr 2026 18:16:22 +0000 Subject: [PATCH 7/8] Apply reviewer feedback: use example.com consistently MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changed domain examples in Trusted hosts documentation for consistency: - mautic.yourdomain.com → mautic.example.com - trusted.com → example.com in regular expression examples --- docs/configuration/settings.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration/settings.rst b/docs/configuration/settings.rst index e2785f04..a3a9ac3b 100644 --- a/docs/configuration/settings.rst +++ b/docs/configuration/settings.rst @@ -59,7 +59,7 @@ Cross-Origin Resource Sharing - CORS - allows data to pass between your website * **Valid Domains** - A list of domains allowed to communicate with your Mautic instance. In the text box, list the exact URL of the top level domain you want to allow, one per line. For example: ``http://www.example.com`` tracks any activity on non-secure example.com pages, but ``https://www.example.com`` won't because this is only tracking on a secure ``https://`` website. -* **Trusted hosts** - Explicitly allow hosts that can send requests to Mautic. Enter the domain name where you installed Mautic, such as ``mautic.yourdomain.com``. Separate multiple hosts with a comma. You can also use regular expressions for advanced matching, which Mautic encloses with ``/`` delimiters. For example, ``.*\.?trusted.com$`` becomes ``/.*\.?trusted.com$/``. If left empty, Mautic responds to all hosts. +* **Trusted hosts** - Explicitly allow hosts that can send requests to Mautic. Enter the domain name where you installed Mautic, such as ``mautic.example.com``. Separate multiple hosts with a comma. You can also use regular expressions for advanced matching, which Mautic encloses with ``/`` delimiters. For example, ``.*\.?example.com$`` becomes ``/.*\.?example.com$/``. If left empty, Mautic responds to all hosts. Mautic validates your input during the save process. Invalid domain names or regular expression patterns trigger an error message. From 6e9ccb4df3bbba453b1c4b92f1b03104a7c4902d Mon Sep 17 00:00:00 2001 From: "promptless[bot]" Date: Thu, 23 Apr 2026 18:20:06 +0000 Subject: [PATCH 8/8] Apply reviewer feedback: change "For example" to "For instance" Avoids word repetition since example.com is already used in the text. --- docs/configuration/settings.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration/settings.rst b/docs/configuration/settings.rst index a3a9ac3b..74a172cf 100644 --- a/docs/configuration/settings.rst +++ b/docs/configuration/settings.rst @@ -59,7 +59,7 @@ Cross-Origin Resource Sharing - CORS - allows data to pass between your website * **Valid Domains** - A list of domains allowed to communicate with your Mautic instance. In the text box, list the exact URL of the top level domain you want to allow, one per line. For example: ``http://www.example.com`` tracks any activity on non-secure example.com pages, but ``https://www.example.com`` won't because this is only tracking on a secure ``https://`` website. -* **Trusted hosts** - Explicitly allow hosts that can send requests to Mautic. Enter the domain name where you installed Mautic, such as ``mautic.example.com``. Separate multiple hosts with a comma. You can also use regular expressions for advanced matching, which Mautic encloses with ``/`` delimiters. For example, ``.*\.?example.com$`` becomes ``/.*\.?example.com$/``. If left empty, Mautic responds to all hosts. +* **Trusted hosts** - Explicitly allow hosts that can send requests to Mautic. Enter the domain name where you installed Mautic, such as ``mautic.example.com``. Separate multiple hosts with a comma. You can also use regular expressions for advanced matching, which Mautic encloses with ``/`` delimiters. For instance, ``.*\.?example.com$`` becomes ``/.*\.?example.com$/``. If left empty, Mautic responds to all hosts. Mautic validates your input during the save process. Invalid domain names or regular expression patterns trigger an error message.