Using HTTP "Host" header to help validate requests
I'm building some HTTP endpoints for internal use and want to validate requests through them using a token. However, I want to use a different token for prod and dev Convex environments. In looking for a way to identify programmatically which environment is running the function, I noticed that the request's "Host" header matches the root HTTP endpoint URL; e.g. "perfect-ant-202.convex.site". Is it safe to compare against that to determine if the dev or prod URL was called? Is there a chance that this header will change in the future?
6 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
Is anyone able to offer input or clarification on this?
safest thing is to set the environment variables yourself for now
I do plan on using environment variables, but my question is whether or not I can reference that header to know which variable value to look for. For example, if I call a prod endpoint and can confirm the endpoint URL via the header, then I know to check the passed token against the prod environment variable value. In other words, I want to have one code base that can work for either dev or prod, and use the header to know which environment variable to expect as the token.
If you just set the same variable to "production" or "development" in the two separate deployments, you can do this with 100% confidence. You don't need the host header.
Ah, good point. I hadn't thought about that approach. Thanks!
What I might to is use something like
production:[prodtoken] and development:[devtoken]. That way one variable can serve both purposes.