ActionDispatch::HostAuthorization
# Action Dispatch HostAuthorization
This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to, and is passed the options set in `config.host_authorization`.
Requests can opt-out of Host Authorization with `exclude`:
config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }
When a request comes to an unauthorized host, the `response_app` application will be executed and rendered. If no `response_app` is given, a default one will run. The default response app logs blocked host info with level ‘error’ and responds with `403 Forbidden`. The body of the response contains debug info if `config.consider_all_requests_local` is set to true, otherwise the body is empty.
Constants
ALLOWED_HOSTS_IN_DEVELOPMENT = [".localhost", ".test", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
IPV4_HOSTNAME = /(?<host>\\d+\\.\\d+\\.\\d+\\.\\d+)#{PORT_REGEX}?/
IPV6_HOSTNAME = /(?<host>[a-f0-9]*:[a-f0-9.:]+)/i
IPV6_HOSTNAME_WITH_PORT = /\\[#{IPV6_HOSTNAME}\\]#{PORT_REGEX}/i
PORT_REGEX = /(?::\\d+)/
SUBDOMAIN_REGEX = /(?:[a-z0-9-]+\\.)/i
VALID_IP_HOSTNAME = Regexp.union( # :nodoc:\n/\\A#{IPV4_HOSTNAME}\\z/,\n/\\A#{IPV6_HOSTNAME}\\z/,\n/\\A#{IPV6_HOSTNAME_WITH_PORT}\\z/,\n)
Files
- actionpack/lib/action_dispatch/middleware/host_authorization.rb
