Repository is archived
No commit activity in last 3 years
No release in over 3 years
Rack::AllowedHosts allows you to whitelist the hostnames allowed to serve the site. This is helpful to protect against Host Header Injection. See: https://acunetix.com/vulnerabilities/web/host-header-attack
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

>= 0
>= 0
 Project Readme

Rack::AllowedHosts

Host-Header Injection Protection

Usage

1. Install

gem 'rack-allowed_hosts'

2. Include Middleware

In config/application.rb, (if using Rails):

class MyApplication < Rails::Application
  ...
  if Rails.env == 'production'
    require 'rack/allowed_hosts'
    config.middleware.use Rack::AllowedHosts do

      # Allow root domain:
      allow 'myapp.com'

      # Allow our subdomains
      allow 'www.myapp.com', 'app.myapp.com'

      # Allow any subdomain with a wildcard
      allow '*.myapp.com'
      
      # Include subdomain from a configuration variable:
      # ENV['ALLOWED_HOSTS'] can be a string or an array of strings.
      allow ENV['ALLOWED_HOSTS']
    end
  end

Features

Pattern Matching

Wildcards (*) can be placed anywhere in the host pattern, and used to match any string, even including ..

So *.mydomain.com would match the following hosts:

  • platform.mydomain.com
  • www.mydomain.com
  • client.app.mydomain.com

This pattern would not match the following hosts:

  • mydomain.com - this pattern should be included separately if needed
  • mydomain.com.au
  • mydomain.com.otherwebsite.com

Warnings

Do not simply allow all hosts. This would defeat the purpose of using the middleware

Do not do this:

allow '*'

...or this...

allow '*.com'

...or any of these... (will enable anyone to spoof with mydomain.com.maliciousdomain.com)

allow 'mydomain.*'
allow 'mycomain.com.*'

...or this (will not match anything)

allow '*-something.mydomain.com'