Let's say I have two environments: https://qa.example.com and https://example.com. In QA, I want to allow access to something insecure, like a special route that allows logging in without a password.
What are the security concerns of checking request.host to determine if we are in qa or prod?
I am aware of other strategies like environment variables, but I want to know about this specifically.
