Hello dear community,
is it possible to set the host / forwarded headers for the generation of password reset links explicitly? Our goal is to avoid host-header-injection attacks, where users requesting a password reset link can be forwarded to an insecure website.
Currently the standard reset credentials flow is activated for resetting a users password and I was unable to find a header config option. I would like to know if it is possible to remove host-headers for the password reset link entirely.
Thank you very much for your help.