From 5f0203aee9dc313480bfc518bc6f8cc4008a92f7 Mon Sep 17 00:00:00 2001
From: karthikrajanv2026 <karthikrajanv2022@gmail.com>
Date: Sun, 14 Jun 2026 13:44:37 +0530
Subject: [PATCH] docs(@angular/ssr): add SSRF security note to
 createNodeRequestHandler Hono example

---
 packages/angular/ssr/node/src/handler.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/packages/angular/ssr/node/src/handler.ts b/packages/angular/ssr/node/src/handler.ts
index d95199e00d07..3bbc067eb884 100644
--- a/packages/angular/ssr/node/src/handler.ts
+++ b/packages/angular/ssr/node/src/handler.ts
@@ -55,6 +55,14 @@ export type NodeRequestHandlerFunction = (
  * });
  * ```
  *
+ * @remarks
+ * **Security note:** `createWebRequestFromNodeRequest()` builds the request URL directly from the
+ * `Host` and `X-Forwarded-*` headers and does not validate them. When integrating with a
+ * third-party framework as shown above, configure `allowedHosts` (and, if needed,
+ * `trustProxyHeaders`) via `AngularNodeAppEngine`, or otherwise validate these headers yourself,
+ * to prevent Server-Side Request Forgery (SSRF). For more information, see
+ * https://angular.dev/best-practices/security#preventing-server-side-request-forgery-ssrf.
+ *
  * @example
  * Usage in a Fastify application:
  * ```ts