From 1ae037a46d3f3d94304bb3174dfa890a0c529604 Mon Sep 17 00:00:00 2001
From: Ayoub-Mabrouk <ayoubmabroukcontact@gmail.com>
Date: Mon, 10 Nov 2025 21:46:32 +0100
Subject: [PATCH] test: add test for req.host with comma-separated
 X-Forwarded-Host

Add test to verify that req.host correctly handles comma-separated
values in X-Forwarded-Host header by using only the first value.
This ensures the behavior matches req.hostname and properly handles
edge cases when proxies send multiple host values.
---
 test/req.host.js | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/test/req.host.js b/test/req.host.js
index cdda82eaae3..ce9879c8026 100644
--- a/test/req.host.js
+++ b/test/req.host.js
@@ -135,6 +135,22 @@ describe('req', function(){
           .expect('example.com', done);
         })
       })
+
+      it('should use first value when X-Forwarded-Host has comma', function (done) {
+        var app = express();
+
+        app.enable('trust proxy');
+
+        app.use(function (req, res) {
+          res.end(req.host);
+        });
+
+        request(app)
+        .get('/')
+        .set('Host', 'localhost')
+        .set('X-Forwarded-Host', 'example.com, foobar.com')
+        .expect('example.com', done);
+      })
     })
 
     describe('when "trust proxy" is disabled', function(){