fix: Control default deny list via an env var

Author: christopherholland-workday

docker/.env.example

@@ -184,9 +184,6 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 
 # HTTP_DENY_LIST=
 # HTTP_SECURITY_CHECK=true
-# Set to false to disable the default HTTP deny list (localhost, private IPs, cloud metadata endpoints).
-# Only recommended for self-hosted instances that need local network access.
-# When false, HTTP_DENY_LIST is still enforced if set.
 # CUSTOM_MCP_SECURITY_CHECK=true
 # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)
 # TRUST_PROXY=true #(true | false | 1 | loopback| linklocal | uniquelocal | IP addresses | loopback, IP addresses)

docker/worker/.env.example

@@ -183,9 +183,6 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 ############################################################################################################
 
 # HTTP_DENY_LIST=
-# Set to false to disable the default HTTP deny list (localhost, private IPs, cloud metadata endpoints).
-# Only recommended for self-hosted instances that need local network access.
-# When false, HTTP_DENY_LIST is still enforced if set.
 # HTTP_SECURITY_CHECK=true
 # CUSTOM_MCP_SECURITY_CHECK=true
 # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)

packages/server/.env.example

@@ -183,9 +183,6 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 ############################################################################################################
 
 # HTTP_DENY_LIST=
-# Set to false to disable the default HTTP deny list (localhost, private IPs, cloud metadata endpoints).
-# Only recommended for self-hosted instances that need local network access.
-# When false, HTTP_DENY_LIST is still enforced if set.
 # HTTP_SECURITY_CHECK=true
 # CUSTOM_MCP_SECURITY_CHECK=true
 # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)