From 32b27db91c28ccbd664614abc4f9829489ebac9f Mon Sep 17 00:00:00 2001 From: Antoine Cormouls Date: Thu, 16 Oct 2025 10:07:55 +0200 Subject: [PATCH 1/5] feat: skip verify server url --- src/Options/Definitions.js | 7 +++++++ src/Options/docs.js | 1 + src/Options/index.js | 5 +++++ src/ParseServer.ts | 19 ++++++++++++++----- types/Options/index.d.ts | 1 + 5 files changed, 28 insertions(+), 5 deletions(-) diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index 6218e484a8..3661eb2119 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -593,6 +593,13 @@ module.exports.ParseServerOptions = { help: 'Disables console output', action: parsers.booleanParser, }, + skipVerifyServerUrl: { + env: 'PARSE_SERVER_SKIP_VERIFY_SERVER_URL', + help: + 'Set to `true` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.

Default is `false`.', + action: parsers.booleanParser, + default: false, + }, startLiveQueryServer: { env: 'PARSE_SERVER_START_LIVE_QUERY_SERVER', help: 'Starts the liveQuery server', diff --git a/src/Options/docs.js b/src/Options/docs.js index e3ef19655a..7b89228a53 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -103,6 +103,7 @@ * @property {String} serverURL URL to your parse server with http:// or https://. * @property {Number} sessionLength Session duration, in seconds, defaults to 1 year * @property {Boolean} silent Disables console output + * @property {Boolean} skipVerifyServerUrl Set to `true` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.

Default is `false`. * @property {Boolean} startLiveQueryServer Starts the liveQuery server * @property {Any} trustProxy The trust proxy settings. It is important to understand the exact setup of the reverse proxy, since this setting will trust values provided in the Parse Server API request. See the express trust proxy settings documentation. Defaults to `false`. * @property {String[]} userSensitiveFields Personally identifiable information fields in the user table the should be removed for non-authorized users. Deprecated @see protectedFields diff --git a/src/Options/index.js b/src/Options/index.js index 29ac1628f7..65eb493a2b 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -57,6 +57,11 @@ export interface ParseServerOptions { /* URL to your parse server with http:// or https://. :ENV: PARSE_SERVER_URL */ serverURL: string; + /* Set to `true` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution. +

+ Default is `false`. + :DEFAULT: false */ + skipVerifyServerUrl: ?boolean; /* (Optional) Restricts the use of master key permissions to a list of IP addresses or ranges.

This option accepts a list of single IP addresses, for example `['10.0.0.1', '10.0.0.2']`. You can also use CIDR notation to specify an IP address range, for example `['10.0.1.0/24']`.

Special scenarios:
- Setting an empty array `[]` means that the master key cannot be used even in Parse Server Cloud Code. This value cannot be set via an environment variable as there is no way to pass an empty array to Parse Server via an environment variable.
- Setting `['0.0.0.0/0', '::0']` means to allow any IPv4 and IPv6 address to use the master key and effectively disables the IP filter.

Considerations:
- IPv4 and IPv6 addresses are not compared against each other. Each IP version (IPv4 and IPv6) needs to be considered separately. For example, `['0.0.0.0/0']` allows any IPv4 address and blocks every IPv6 address. Conversely, `['::0']` allows any IPv6 address and blocks every IPv4 address.
- Keep in mind that the IP version in use depends on the network stack of the environment in which Parse Server runs. A local environment may use a different IP version than a remote environment. For example, it's possible that locally the value `['0.0.0.0/0']` allows the request IP because the environment is using IPv4, but when Parse Server is deployed remotely the request IP is blocked because the remote environment is using IPv6.
- When setting the option via an environment variable the notation is a comma-separated string, for example `"0.0.0.0/0,::0"`.
- IPv6 zone indices (`%` suffix) are not supported, for example `fe80::1%eth0`, `fe80::1%1` or `::1%lo`.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server instance on which Parse Server runs, is allowed to use the master key. :DEFAULT: ["127.0.0.1","::1"] */ masterKeyIps: ?(string[]); diff --git a/src/ParseServer.ts b/src/ParseServer.ts index b928364c2e..966c188986 100644 --- a/src/ParseServer.ts +++ b/src/ParseServer.ts @@ -296,7 +296,14 @@ class ParseServer { * Create an express app for the parse server * @param {Object} options let you specify the maxUploadSize when creating the express app */ static app(options) { - const { maxUploadSize = '20mb', appId, directAccess, pages, rateLimit = [] } = options; + const { + maxUploadSize = '20mb', + appId, + directAccess, + pages, + rateLimit = [], + skipVerifyServerUrl, + } = options; // This app serves the Parse API directly. // It's the equivalent of https://api.parse.com/1 in the hosted Parse API. var api = express(); @@ -367,10 +374,12 @@ class ParseServer { }); // verify the server url after a 'mount' event is received /* istanbul ignore next */ - api.on('mount', async function () { - await new Promise(resolve => setTimeout(resolve, 1000)); - ParseServer.verifyServerUrl(); - }); + if (!skipVerifyServerUrl) { + api.on('mount', async function () { + await new Promise(resolve => setTimeout(resolve, 1000)); + ParseServer.verifyServerUrl(); + }); + } } if (process.env.PARSE_SERVER_ENABLE_EXPERIMENTAL_DIRECT_ACCESS === '1' || directAccess) { Parse.CoreManager.setRESTController(ParseServerRESTController(appId, appRouter)); diff --git a/types/Options/index.d.ts b/types/Options/index.d.ts index ac1c71e886..baadbe1658 100644 --- a/types/Options/index.d.ts +++ b/types/Options/index.d.ts @@ -122,6 +122,7 @@ export interface ParseServerOptions { allowExpiredAuthDataToken?: boolean; requestKeywordDenylist?: (RequestKeywordDenylist[]); rateLimit?: (RateLimitOptions[]); + skipVerifyServerUrl?: boolean; } export interface RateLimitOptions { requestPath: string; From 5aa80f7cb98142214ea5c4e9771f6e980e8eb18b Mon Sep 17 00:00:00 2001 From: Antoine Cormouls Date: Fri, 24 Oct 2025 09:23:36 +0200 Subject: [PATCH 2/5] fix: reverse option --- src/Options/Definitions.js | 14 +++++++------- src/Options/docs.js | 2 +- src/Options/index.js | 8 ++++---- src/ParseServer.ts | 2 +- types/Options/index.d.ts | 2 +- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index 3504e84f5c..2b8f79425e 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -593,13 +593,6 @@ module.exports.ParseServerOptions = { help: 'Disables console output', action: parsers.booleanParser, }, - skipVerifyServerUrl: { - env: 'PARSE_SERVER_SKIP_VERIFY_SERVER_URL', - help: - 'Set to `true` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.

Default is `false`.', - action: parsers.booleanParser, - default: false, - }, startLiveQueryServer: { env: 'PARSE_SERVER_START_LIVE_QUERY_SERVER', help: 'Starts the liveQuery server', @@ -623,6 +616,13 @@ module.exports.ParseServerOptions = { help: 'Set the logging to verbose', action: parsers.booleanParser, }, + verifyServerUrl: { + env: 'PARSE_SERVER_VERIFY_SERVER_URL', + help: + 'Set to `false` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.

Default is `true`.', + action: parsers.booleanParser, + default: true, + }, verifyUserEmails: { env: 'PARSE_SERVER_VERIFY_USER_EMAILS', help: diff --git a/src/Options/docs.js b/src/Options/docs.js index e31d2a633f..6b50542099 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -103,11 +103,11 @@ * @property {String} serverURL URL to your parse server with http:// or https://. * @property {Number} sessionLength Session duration, in seconds, defaults to 1 year * @property {Boolean} silent Disables console output - * @property {Boolean} skipVerifyServerUrl Set to `true` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.

Default is `false`. * @property {Boolean} startLiveQueryServer Starts the liveQuery server * @property {Any} trustProxy The trust proxy settings. It is important to understand the exact setup of the reverse proxy, since this setting will trust values provided in the Parse Server API request. See the express trust proxy settings documentation. Defaults to `false`. * @property {String[]} userSensitiveFields Personally identifiable information fields in the user table the should be removed for non-authorized users. Deprecated @see protectedFields * @property {Boolean} verbose Set the logging to verbose + * @property {Boolean} verifyServerUrl Set to `false` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.

Default is `true`. * @property {Boolean} verifyUserEmails Set to `true` to require users to verify their email address to complete the sign-up process. Supports a function with a return value of `true` or `false` for conditional verification.

Default is `false`. * @property {String} webhookKey Key sent with outgoing webhook calls */ diff --git a/src/Options/index.js b/src/Options/index.js index fecc6ba619..f4e0391bc5 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -57,11 +57,11 @@ export interface ParseServerOptions { /* URL to your parse server with http:// or https://. :ENV: PARSE_SERVER_URL */ serverURL: string; - /* Set to `true` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution. + /* Set to `false` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.

- Default is `false`. - :DEFAULT: false */ - skipVerifyServerUrl: ?boolean; + Default is `true`. + :DEFAULT: true */ + verifyServerUrl: ?boolean; /* (Optional) Restricts the use of master key permissions to a list of IP addresses or ranges.

This option accepts a list of single IP addresses, for example `['10.0.0.1', '10.0.0.2']`. You can also use CIDR notation to specify an IP address range, for example `['10.0.1.0/24']`.

Special scenarios:
- Setting an empty array `[]` means that the master key cannot be used even in Parse Server Cloud Code. This value cannot be set via an environment variable as there is no way to pass an empty array to Parse Server via an environment variable.
- Setting `['0.0.0.0/0', '::0']` means to allow any IPv4 and IPv6 address to use the master key and effectively disables the IP filter.

Considerations:
- IPv4 and IPv6 addresses are not compared against each other. Each IP version (IPv4 and IPv6) needs to be considered separately. For example, `['0.0.0.0/0']` allows any IPv4 address and blocks every IPv6 address. Conversely, `['::0']` allows any IPv6 address and blocks every IPv4 address.
- Keep in mind that the IP version in use depends on the network stack of the environment in which Parse Server runs. A local environment may use a different IP version than a remote environment. For example, it's possible that locally the value `['0.0.0.0/0']` allows the request IP because the environment is using IPv4, but when Parse Server is deployed remotely the request IP is blocked because the remote environment is using IPv6.
- When setting the option via an environment variable the notation is a comma-separated string, for example `"0.0.0.0/0,::0"`.
- IPv6 zone indices (`%` suffix) are not supported, for example `fe80::1%eth0`, `fe80::1%1` or `::1%lo`.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server instance on which Parse Server runs, is allowed to use the master key. :DEFAULT: ["127.0.0.1","::1"] */ masterKeyIps: ?(string[]); diff --git a/src/ParseServer.ts b/src/ParseServer.ts index 2f274efdf9..04543ac1c3 100644 --- a/src/ParseServer.ts +++ b/src/ParseServer.ts @@ -487,7 +487,7 @@ class ParseServer { /* istanbul ignore next */ if (!process.env.TESTING) { configureListeners(this); - if(!options.skipVerifyServerUrl) { + if (options.verifyServerUrl !== false) { await ParseServer.verifyServerUrl(); } } diff --git a/types/Options/index.d.ts b/types/Options/index.d.ts index baadbe1658..7a572a2f10 100644 --- a/types/Options/index.d.ts +++ b/types/Options/index.d.ts @@ -122,7 +122,7 @@ export interface ParseServerOptions { allowExpiredAuthDataToken?: boolean; requestKeywordDenylist?: (RequestKeywordDenylist[]); rateLimit?: (RateLimitOptions[]); - skipVerifyServerUrl?: boolean; + verifyServerUrl?: boolean; } export interface RateLimitOptions { requestPath: string; From 7816504834945ab3aa433706590385b0dd826b25 Mon Sep 17 00:00:00 2001 From: Manuel <5673677+mtrezza@users.noreply.github.com> Date: Sat, 25 Oct 2025 12:52:10 +0200 Subject: [PATCH 3/5] Apply suggestion from @mtrezza Signed-off-by: Manuel <5673677+mtrezza@users.noreply.github.com> --- src/Options/Definitions.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index 2b8f79425e..ac22370c47 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -619,7 +619,7 @@ module.exports.ParseServerOptions = { verifyServerUrl: { env: 'PARSE_SERVER_VERIFY_SERVER_URL', help: - 'Set to `false` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.

Default is `true`.', + 'Parse Server makes a HTTP request to the URL set in `serverURL` at the end of its launch routine to verify that the launch succeeded. If this option is set to `false`, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.

⚠️ Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in `serverURL`. If a feature requires this, it is mentioned in the documentation.

Default is `true`.', action: parsers.booleanParser, default: true, }, From db90c65958115b77a89ad0a1760c09180aa9bf04 Mon Sep 17 00:00:00 2001 From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com> Date: Sat, 25 Oct 2025 13:05:57 +0200 Subject: [PATCH 4/5] docs --- src/Options/Definitions.js | 8 +++++--- src/Options/docs.js | 6 +++--- src/Options/index.js | 8 +++----- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index ac22370c47..3300a4121e 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -296,7 +296,8 @@ module.exports.ParseServerOptions = { }, graphQLPath: { env: 'PARSE_SERVER_GRAPHQL_PATH', - help: 'Mount path for the GraphQL endpoint, defaults to /graphql', + help: + 'The mount path for the GraphQL endpoint

\u26A0\uFE0F File upload inside the GraphQL mutation system requires Parse Server to be able to call itself by making requests to the URL set in `serverURL`.

Defaults is `/graphql`.', default: '/graphql', }, graphQLPublicIntrospection: { @@ -579,7 +580,8 @@ module.exports.ParseServerOptions = { }, serverURL: { env: 'PARSE_SERVER_URL', - help: 'URL to your parse server with http:// or https://.', + help: + 'The URL to Parse Server.

\u26A0\uFE0F Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in `serverURL`. If a feature requires this, it is mentioned in the documentation. In that case ensure that the URL is accessible from the server itself.', required: true, }, sessionLength: { @@ -619,7 +621,7 @@ module.exports.ParseServerOptions = { verifyServerUrl: { env: 'PARSE_SERVER_VERIFY_SERVER_URL', help: - 'Parse Server makes a HTTP request to the URL set in `serverURL` at the end of its launch routine to verify that the launch succeeded. If this option is set to `false`, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.

⚠️ Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in `serverURL`. If a feature requires this, it is mentioned in the documentation.

Default is `true`.', + 'Parse Server makes a HTTP request to the URL set in `serverURL` at the end of its launch routine to verify that the launch succeeded. If this option is set to `false`, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.

\u26A0\uFE0F Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in `serverURL`. If a feature requires this, it is mentioned in the documentation. In that case ensure that the URL is accessible from the server itself.

Default is `true`.', action: parsers.booleanParser, default: true, }, diff --git a/src/Options/docs.js b/src/Options/docs.js index 6b50542099..9b4785a329 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -53,7 +53,7 @@ * @property {String} fileKey Key for your files * @property {Adapter} filesAdapter Adapter module for the files sub-system * @property {FileUploadOptions} fileUpload Options for file uploads - * @property {String} graphQLPath Mount path for the GraphQL endpoint, defaults to /graphql + * @property {String} graphQLPath The mount path for the GraphQL endpoint

⚠️ File upload inside the GraphQL mutation system requires Parse Server to be able to call itself by making requests to the URL set in `serverURL`.

Defaults is `/graphql`. * @property {Boolean} graphQLPublicIntrospection Enable public introspection for the GraphQL endpoint, defaults to false * @property {String} graphQLSchema Full path to your GraphQL custom schema.graphql file * @property {String} host The host to serve ParseServer on, defaults to 0.0.0.0 @@ -100,14 +100,14 @@ * @property {SecurityOptions} security The security options to identify and report weak security settings. * @property {Boolean} sendUserEmailVerification Set to `false` to prevent sending of verification email. Supports a function with a return value of `true` or `false` for conditional email sending.

Default is `true`.
* @property {Function} serverCloseComplete Callback when server has closed - * @property {String} serverURL URL to your parse server with http:// or https://. + * @property {String} serverURL The URL to Parse Server.

⚠️ Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in `serverURL`. If a feature requires this, it is mentioned in the documentation. In that case ensure that the URL is accessible from the server itself. * @property {Number} sessionLength Session duration, in seconds, defaults to 1 year * @property {Boolean} silent Disables console output * @property {Boolean} startLiveQueryServer Starts the liveQuery server * @property {Any} trustProxy The trust proxy settings. It is important to understand the exact setup of the reverse proxy, since this setting will trust values provided in the Parse Server API request. See the express trust proxy settings documentation. Defaults to `false`. * @property {String[]} userSensitiveFields Personally identifiable information fields in the user table the should be removed for non-authorized users. Deprecated @see protectedFields * @property {Boolean} verbose Set the logging to verbose - * @property {Boolean} verifyServerUrl Set to `false` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution.

Default is `true`. + * @property {Boolean} verifyServerUrl Parse Server makes a HTTP request to the URL set in `serverURL` at the end of its launch routine to verify that the launch succeeded. If this option is set to `false`, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.

⚠️ Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in `serverURL`. If a feature requires this, it is mentioned in the documentation. In that case ensure that the URL is accessible from the server itself.

Default is `true`. * @property {Boolean} verifyUserEmails Set to `true` to require users to verify their email address to complete the sign-up process. Supports a function with a return value of `true` or `false` for conditional verification.

Default is `false`. * @property {String} webhookKey Key sent with outgoing webhook calls */ diff --git a/src/Options/index.js b/src/Options/index.js index f4e0391bc5..1d9b88f51b 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -54,12 +54,10 @@ export interface ParseServerOptions { masterKeyTtl: ?number; /* (Optional) The maintenance key is used for modifying internal and read-only fields of Parse Server.

⚠️ This key is not intended to be used as part of a regular operation of Parse Server. This key is intended to conduct out-of-band changes such as one-time migrations or data correction tasks. Internal fields are not officially documented and may change at any time without publication in release changelogs. We strongly advice not to rely on internal fields as part of your regular operation and to investigate the implications of any planned changes *directly in the source code* of your current version of Parse Server. */ maintenanceKey: string; - /* URL to your parse server with http:// or https://. + /* The URL to Parse Server.

⚠️ Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in `serverURL`. If a feature requires this, it is mentioned in the documentation. In that case ensure that the URL is accessible from the server itself. :ENV: PARSE_SERVER_URL */ serverURL: string; - /* Set to `false` to skip the server URL verification on startup. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall, in certain containerized environments, or in test environments like Jest where the verification may cause issues or unnecessary delays during test execution. -

- Default is `true`. + /* Parse Server makes a HTTP request to the URL set in `serverURL` at the end of its launch routine to verify that the launch succeeded. If this option is set to `false`, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.

⚠️ Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in `serverURL`. If a feature requires this, it is mentioned in the documentation. In that case ensure that the URL is accessible from the server itself.

Default is `true`. :DEFAULT: true */ verifyServerUrl: ?boolean; /* (Optional) Restricts the use of master key permissions to a list of IP addresses or ranges.

This option accepts a list of single IP addresses, for example `['10.0.0.1', '10.0.0.2']`. You can also use CIDR notation to specify an IP address range, for example `['10.0.1.0/24']`.

Special scenarios:
- Setting an empty array `[]` means that the master key cannot be used even in Parse Server Cloud Code. This value cannot be set via an environment variable as there is no way to pass an empty array to Parse Server via an environment variable.
- Setting `['0.0.0.0/0', '::0']` means to allow any IPv4 and IPv6 address to use the master key and effectively disables the IP filter.

Considerations:
- IPv4 and IPv6 addresses are not compared against each other. Each IP version (IPv4 and IPv6) needs to be considered separately. For example, `['0.0.0.0/0']` allows any IPv4 address and blocks every IPv6 address. Conversely, `['::0']` allows any IPv6 address and blocks every IPv4 address.
- Keep in mind that the IP version in use depends on the network stack of the environment in which Parse Server runs. A local environment may use a different IP version than a remote environment. For example, it's possible that locally the value `['0.0.0.0/0']` allows the request IP because the environment is using IPv4, but when Parse Server is deployed remotely the request IP is blocked because the remote environment is using IPv6.
- When setting the option via an environment variable the notation is a comma-separated string, for example `"0.0.0.0/0,::0"`.
- IPv6 zone indices (`%` suffix) are not supported, for example `fe80::1%eth0`, `fe80::1%1` or `::1%lo`.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server instance on which Parse Server runs, is allowed to use the master key. @@ -310,7 +308,7 @@ export interface ParseServerOptions { :ENV: PARSE_SERVER_MOUNT_GRAPHQL :DEFAULT: false */ mountGraphQL: ?boolean; - /* Mount path for the GraphQL endpoint, defaults to /graphql + /* The mount path for the GraphQL endpoint

⚠️ File upload inside the GraphQL mutation system requires Parse Server to be able to call itself by making requests to the URL set in `serverURL`.

Defaults is `/graphql`. :ENV: PARSE_SERVER_GRAPHQL_PATH :DEFAULT: /graphql */ graphQLPath: ?string; From ade86e31103d7c527ccc9e21e5a5c9d236882067 Mon Sep 17 00:00:00 2001 From: Manuel Trezza <5673677+mtrezza@users.noreply.github.com> Date: Sat, 25 Oct 2025 13:12:18 +0200 Subject: [PATCH 5/5] docs --- src/Options/Definitions.js | 2 +- src/Options/docs.js | 2 +- src/Options/index.js | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/Options/Definitions.js b/src/Options/Definitions.js index 3300a4121e..205c35fa77 100644 --- a/src/Options/Definitions.js +++ b/src/Options/Definitions.js @@ -621,7 +621,7 @@ module.exports.ParseServerOptions = { verifyServerUrl: { env: 'PARSE_SERVER_VERIFY_SERVER_URL', help: - 'Parse Server makes a HTTP request to the URL set in `serverURL` at the end of its launch routine to verify that the launch succeeded. If this option is set to `false`, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.

\u26A0\uFE0F Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in `serverURL`. If a feature requires this, it is mentioned in the documentation. In that case ensure that the URL is accessible from the server itself.

Default is `true`.', + 'Parse Server makes a HTTP request to the URL set in `serverURL` at the end of its launch routine to verify that the launch succeeded. If this option is set to `false`, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.

\u26A0\uFE0F Server URL verification requires Parse Server to be able to call itself by making requests to the URL set in `serverURL`.

Default is `true`.', action: parsers.booleanParser, default: true, }, diff --git a/src/Options/docs.js b/src/Options/docs.js index 9b4785a329..dde5942500 100644 --- a/src/Options/docs.js +++ b/src/Options/docs.js @@ -107,7 +107,7 @@ * @property {Any} trustProxy The trust proxy settings. It is important to understand the exact setup of the reverse proxy, since this setting will trust values provided in the Parse Server API request. See the express trust proxy settings documentation. Defaults to `false`. * @property {String[]} userSensitiveFields Personally identifiable information fields in the user table the should be removed for non-authorized users. Deprecated @see protectedFields * @property {Boolean} verbose Set the logging to verbose - * @property {Boolean} verifyServerUrl Parse Server makes a HTTP request to the URL set in `serverURL` at the end of its launch routine to verify that the launch succeeded. If this option is set to `false`, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.

⚠️ Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in `serverURL`. If a feature requires this, it is mentioned in the documentation. In that case ensure that the URL is accessible from the server itself.

Default is `true`. + * @property {Boolean} verifyServerUrl Parse Server makes a HTTP request to the URL set in `serverURL` at the end of its launch routine to verify that the launch succeeded. If this option is set to `false`, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.

⚠️ Server URL verification requires Parse Server to be able to call itself by making requests to the URL set in `serverURL`.

Default is `true`. * @property {Boolean} verifyUserEmails Set to `true` to require users to verify their email address to complete the sign-up process. Supports a function with a return value of `true` or `false` for conditional verification.

Default is `false`. * @property {String} webhookKey Key sent with outgoing webhook calls */ diff --git a/src/Options/index.js b/src/Options/index.js index 1d9b88f51b..ff8287b86b 100644 --- a/src/Options/index.js +++ b/src/Options/index.js @@ -57,7 +57,7 @@ export interface ParseServerOptions { /* The URL to Parse Server.

⚠️ Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in `serverURL`. If a feature requires this, it is mentioned in the documentation. In that case ensure that the URL is accessible from the server itself. :ENV: PARSE_SERVER_URL */ serverURL: string; - /* Parse Server makes a HTTP request to the URL set in `serverURL` at the end of its launch routine to verify that the launch succeeded. If this option is set to `false`, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.

⚠️ Certain server features or adapters may require Parse Server to be able to call itself by making requests to the URL set in `serverURL`. If a feature requires this, it is mentioned in the documentation. In that case ensure that the URL is accessible from the server itself.

Default is `true`. + /* Parse Server makes a HTTP request to the URL set in `serverURL` at the end of its launch routine to verify that the launch succeeded. If this option is set to `false`, the verification will be skipped. This can be useful in environments where the server URL is not accessible from the server itself, such as when running behind a firewall or in certain containerized environments.

⚠️ Server URL verification requires Parse Server to be able to call itself by making requests to the URL set in `serverURL`.

Default is `true`. :DEFAULT: true */ verifyServerUrl: ?boolean; /* (Optional) Restricts the use of master key permissions to a list of IP addresses or ranges.

This option accepts a list of single IP addresses, for example `['10.0.0.1', '10.0.0.2']`. You can also use CIDR notation to specify an IP address range, for example `['10.0.1.0/24']`.

Special scenarios:
- Setting an empty array `[]` means that the master key cannot be used even in Parse Server Cloud Code. This value cannot be set via an environment variable as there is no way to pass an empty array to Parse Server via an environment variable.
- Setting `['0.0.0.0/0', '::0']` means to allow any IPv4 and IPv6 address to use the master key and effectively disables the IP filter.

Considerations:
- IPv4 and IPv6 addresses are not compared against each other. Each IP version (IPv4 and IPv6) needs to be considered separately. For example, `['0.0.0.0/0']` allows any IPv4 address and blocks every IPv6 address. Conversely, `['::0']` allows any IPv6 address and blocks every IPv4 address.
- Keep in mind that the IP version in use depends on the network stack of the environment in which Parse Server runs. A local environment may use a different IP version than a remote environment. For example, it's possible that locally the value `['0.0.0.0/0']` allows the request IP because the environment is using IPv4, but when Parse Server is deployed remotely the request IP is blocked because the remote environment is using IPv6.
- When setting the option via an environment variable the notation is a comma-separated string, for example `"0.0.0.0/0,::0"`.
- IPv6 zone indices (`%` suffix) are not supported, for example `fe80::1%eth0`, `fe80::1%1` or `::1%lo`.

Defaults to `['127.0.0.1', '::1']` which means that only `localhost`, the server instance on which Parse Server runs, is allowed to use the master key.