Hi, The current "allow.hosts" setting of the ReferrerFilter can be configured with a list of trusted hosts. In a setup where the list of allowed hosts is expending as the application runs, it becomes tricky to keep the configuration in sync. As an example, a service which supports wilcard uris such as <userId>. my.service.com would be required to modify the reference filter configuration for each user which is hardly doable.
Thus, I would propose to support regex patterns for the list of "allow.hosts". which would still be secure. The example above would be configured as: allow.hosts=*.my.service.com wdyt ? Regards, Timothee.