Companion URL security

When using the Companion Import From URL:, how can it be configured to exclude some URLs (e.g. access to localhost)

It can be a security risk if companion allows the user to access any sources accessible from the server

Companion handles that for you when running in production (with debug set to false). It blocks requests to any local URLs, and only allows the http(s) protocol. You can have a look at this Pull Request for some of the implementations and discussions around this.

1 Like