class ActionDispatch::HostAuthorization

default one will run, which responds with +403 Forbidden+.
application will be executed and rendered. If no response_app is given, a
When a request comes to an unauthorized host, the response_app
the hosts a request can be sent to.
This middleware guards from DNS rebinding attacks by explicitly permitting

def authorized?(request)

def authorized?(request)
  origin_host = request.get_header("HTTP_HOST")&.slice(VALID_ORIGIN_HOST, 1) || ""
  forwarded_host = request.x_forwarded_host&.slice(VALID_FORWARDED_HOST, 1) || ""
  @permissions.allows?(origin_host) && (forwarded_host.blank? || @permissions.allows?(forwarded_host))
end

def call(env)

def call(env)
  return @app.call(env) if @permissions.empty?
  request = Request.new(env)
  if authorized?(request)
    mark_as_authorized(request)
    @app.call(env)
  else
    @response_app.call(env)
  end
end

def initialize(app, hosts, response_app = nil)

def initialize(app, hosts, response_app = nil)
  @app = app
  @permissions = Permissions.new(hosts)
  @response_app = response_app || DEFAULT_RESPONSE_APP
end

def mark_as_authorized(request)

def mark_as_authorized(request)
  request.set_header("action_dispatch.authorized_host", request.host)
end

Namespace

ActionDispatch

Classes in this namespace

ActionDispatch::HostAuthorization::Permissions

Instance Methods

Defined in

lib/action_dispatch/middleware/host_authorization.rb