Always include default deny list in deny list values (#5708)

* Always include default deny list in deny list values

* Update packages/components/src/httpSecurity.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Always include default deny list in deny list values

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: yau-wd <yau.ong@workday.com>

Author: 3 people

packages/components/src/httpSecurity.ts

@@ -27,12 +27,19 @@ const DEFAULT_DENY_LIST = [
 ]
 
 /**
- * Gets the HTTP deny list from environment variable or returns default
- * @returns Array of denied IP addresses/CIDR ranges
+ * Gets the HTTP deny list, always including default protections plus any custom entries
+ * @returns Array of denied IP addresses/CIDR ranges (always includes DEFAULT_DENY_LIST)
  */
 function getHttpDenyList(): string[] {
     const httpDenyListString = process.env.HTTP_DENY_LIST
-    return httpDenyListString ? httpDenyListString.split(',').map((s) => s.trim()) : DEFAULT_DENY_LIST
+    if (httpDenyListString) {
+        const customList = httpDenyListString
+            .split(',')
+            .map((s) => s.trim())
+            .filter(Boolean)
+        return [...new Set([...DEFAULT_DENY_LIST, ...customList])]
+    }
+    return DEFAULT_DENY_LIST
 }
 
 /**