From 95b15190dedab255c102db023af2d90eacf3a259 Mon Sep 17 00:00:00 2001
From: Phantasm <phantasm@centrum.cz>
Date: Wed, 13 May 2026 00:32:16 +0200
Subject: [PATCH] ActivityPubController: require validated host header

---
 lib/pleroma/web/activity_pub/activity_pub_controller.ex | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/pleroma/web/activity_pub/activity_pub_controller.ex b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
index 2bfff6968..415aa4f68 100644
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@@ -303,7 +303,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
     end
   end
 
-  def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do
+  def inbox(%{assigns: %{valid_signature: true, valid_host_header: true}} = conn, %{"nickname" => nickname} = params) do
     with {:recipient_exists, %User{} = recipient} <-
            {:recipient_exists, User.get_cached_by_nickname(nickname)},
          {:sender_exists, {:ok, %User{} = actor}} <-
@@ -342,7 +342,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
     end
   end
 
-  def inbox(%{assigns: %{valid_signature: true}} = conn, params) do
+  def inbox(%{assigns: %{valid_signature: true, valid_host_header: true}} = conn, params) do
     Federator.incoming_ap_doc(params)
     json(conn, "ok")
   end