Problem
When accessing DockDash from another machine on a local network, the Shell/Terminal feature fails to connect. The backend WebSocket upgrade handler only allows incoming connections with Origin header hostnames of localhost or 127.0.0.1. Any LAN Origin (e.g. http://192.168.1.50:3001) receives a 403 Forbidden, blocking Shell for remote users.
Impact
- The Shell/exec feature is effectively localhost-only. Users cannot exec into containers when accessing from other devices on their network.
Recommendation
- Make the list of allowed hosts configurable (e.g.
ALLOWED_ORIGIN_HOSTS env variable).
- Default to
localhost, allow LAN IP/hostname if enabled.
- Document the security implications clearly, and ensure the solution does not weaken security for installations exposed to WAN.
Problem
When accessing DockDash from another machine on a local network, the Shell/Terminal feature fails to connect. The backend WebSocket upgrade handler only allows incoming connections with
Originheader hostnames oflocalhostor127.0.0.1. Any LAN Origin (e.g.http://192.168.1.50:3001) receives a 403 Forbidden, blocking Shell for remote users.Impact
Recommendation
ALLOWED_ORIGIN_HOSTSenv variable).localhost, allow LAN IP/hostname if enabled.