class ActionDispatch::HostAuthorization
body is empty.
info if ‘config.consider_all_requests_local` is set to true, otherwise the
and responds with `403 Forbidden`. The body of the response contains debug
will run. The default response app logs blocked host info with level ’error’
will be executed and rendered. If no ‘response_app` is given, a default one
When a request comes to an unauthorized host, the `response_app` application
config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }
Requests can opt-out of Host Authorization with `exclude`:
`config.host_authorization`.
hosts a request can be sent to, and is passed the options set in
This middleware guards from DNS rebinding attacks by explicitly permitting the
# Action Dispatch HostAuthorization
def blocked_hosts(request)
def blocked_hosts(request) hosts = [] origin_host = request.get_header("HTTP_HOST") hosts << origin_host unless @permissions.allows?(origin_host) forwarded_host = request.x_forwarded_host&.split(/,\s?/)&.last hosts << forwarded_host unless forwarded_host.blank? || @permissions.allows?(forwarded_host) hosts end
def call(env)
def call(env) return @app.call(env) if @permissions.empty? request = Request.new(env) hosts = blocked_hosts(request) if hosts.empty? || excluded?(request) mark_as_authorized(request) @app.call(env) else env["action_dispatch.blocked_hosts"] = hosts @response_app.call(env) end end
def excluded?(request)
def excluded?(request) @exclude && @exclude.call(request) end
def initialize(app, hosts, exclude: nil, response_app: nil)
def initialize(app, hosts, exclude: nil, response_app: nil) @app = app @permissions = Permissions.new(hosts) @exclude = exclude @response_app = response_app || DefaultResponseApp.new end
def mark_as_authorized(request)
def mark_as_authorized(request) request.set_header("action_dispatch.authorized_host", request.host) end