v7.1.3.2 - Show latest stable - 0 notes - Superclass: Object

Action Dispatch HostAuthorization

This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to, and is passed the options set in config.host_authorization.

Requests can opt-out of Host Authorization with exclude:

config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }

When a request comes to an unauthorized host, the response_app application will be executed and rendered. If no response_app is given, a default one will run. The default response app logs blocked host info with level ‘error’ and responds with 403 Forbidden. The body of the response contains debug info if config.consider_all_requests_local is set to true, otherwise the body is empty.


VALID_IP_HOSTNAME = Regexp.union( # :nodoc: /\A#{IPV4_HOSTNAME}\z/, /\A#{IPV6_HOSTNAME}\z/, /\A#{IPV6_HOSTNAME_WITH_PORT}\z/, )


IPV6_HOSTNAME = /(?[a-f0-9]*:[a-f0-9.:]+)/i

IPV4_HOSTNAME = /(?\d+\.\d+\.\d+\.\d+)#{PORT_REGEX}?/

SUBDOMAIN_REGEX = /(?:[a-z0-9-]+\.)/i

PORT_REGEX = /(?::\d+)/

ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", IPAddr.new(""), IPAddr.new("::/0")]


Show files where this class is defined (1 file)
Register or log in to add new notes.