inveniosoftware · tmorrell · Feb 24, 2025 · Feb 17, 2025 · Feb 18, 2025
diff --git a/docs/customize/look-and-feel/index.md b/docs/customize/look-and-feel/index.md
@@ -35,15 +35,15 @@ INVENIO_THEME_FRONTPAGE_TITLE="Stage RePo: the Repository about Potatoes"
 
     ❌ DON'T
     ```shell
-    INVENIO_APP_ALLOWED_HOSTS=["127.0.0.1"] invenio-cli run
+    INVENIO_TRUSTED_HOSTS=["127.0.0.1"] invenio-cli run
     ```
-    `APP_ALLOWED_HOSTS` is interpreted as the string `"[127.0.0.1]"` because of shell substitution followed by Python literal conversion.
+    `TRUSTED_HOSTS` is interpreted as the string `"[127.0.0.1]"` because of shell substitution followed by Python literal conversion.
 
     ✅ DO
     ```shell
-    INVENIO_APP_ALLOWED_HOSTS='["127.0.0.1"]' invenio-cli run
+    INVENIO_TRUSTED_HOSTS='["127.0.0.1"]' invenio-cli run
     ```
-    `APP_ALLOWED_HOSTS` is interpreted as the list `["127.0.0.1"]` which is right.
+    `TRUSTED_HOSTS` is interpreted as the list `["127.0.0.1"]` which is right.
 
     Another pitfall to avoid is when a value can be interpreted as the wrong type.
 

diff --git a/docs/install/configuration.md b/docs/install/configuration.md
@@ -45,9 +45,9 @@ The credentials you do find in the ``invenio.cfg`` file are for the default deve
 ## Options
 
 ---
-### ``APP_ALLOWED_HOSTS``
+### ``TRUSTED_HOSTS``
 
-Invenio has a configuration option called ``APP_ALLOWED_HOSTS`` which controls which hosts/domain names can be served. A client request to a web server usually includes the domain name in the Host HTTP header:
+Invenio has a configuration option called ``TRUSTED_HOSTS`` which controls which hosts/domain names can be served. A client request to a web server usually includes the domain name in the Host HTTP header:
 
 ```
 GET /
@@ -61,10 +61,10 @@ An attacker has full control of the host header and can thus change it to whatev
 
 Normally your load balancer/web server should only route requests with a white-listed set of hosts to your application. It is however very easy to misconfigure this in your web server, and thus Invenio includes a protective measure.
 
-Simply set APP_ALLOWED_HOSTS to a list of allowed hosts/domain names:
+Simply set TRUSTED_HOSTS to a list of allowed hosts/domain names:
 
 ```
-APP_ALLOWED_HOSTS = ['www.example.org']
+TRUSTED_HOSTS = ['www.example.org']
 ```
 
 Failing to properly configure this variable will cause the error `Bad Request Host x.x.x.x is not trusted.` when starting the web app.

diff --git a/docs/releases/v13/upgrade-v13.0.md b/docs/releases/v13/upgrade-v13.0.md
@@ -182,6 +182,7 @@ ADMINISTRATION_DISPLAY_VERSIONS = [
 - feature: invenio vocabularies entries deprecation
 - improvement: search mappings and analyzers to improve performance
 - OpenSearch min version now required v2.12 due to breaking changes in `geo-shape` fields, see issue [here](https://github.com/inveniosoftware/invenio-rdm-records/issues/1807) and related OpenSearch issue and comment [here](https://github.com/opensearch-project/OpenSearch/issues/10958#issuecomment-2037882756).
+- change from `APP_ALLOWED_HOSTS` to `TRUSTED_HOSTS` due flask >= 3
 
 ### TODO