This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to.
When a request comes to an unauthorized host, the response_app application will be executed and rendered. If no response_app is given, a default one will run, which responds with +403 Forbidden+.
Methods
Constants
| ALLOWED_HOSTS_IN_DEVELOPMENT | = | [".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")] |
| DEFAULT_RESPONSE_APP | = | -> env do request = Request.new(env) format = request.xhr? ? "text/plain" : "text/html" template = DebugView.new(host: request.host) body = template.render(template: "rescues/blocked_host", layout: "rescues/layout") [403, { "Content-Type" => "#{format}; charset=#{Response.default_charset}", "Content-Length" => body.bytesize.to_s, }, [body]] end |
Class Public methods
new(app, hosts, response_app = nil)
📝 Source code
# File actionpack/lib/action_dispatch/middleware/host_authorization.rb, line 90
def initialize(app, hosts, response_app = nil)
@app = app
@permissions = Permissions.new(hosts)
@response_app = response_app || DEFAULT_RESPONSE_APP
endInstance Public methods
call(env)
📝 Source code
# File actionpack/lib/action_dispatch/middleware/host_authorization.rb, line 96
def call(env)
return @app.call(env) if @permissions.empty?
request = Request.new(env)
if authorized?(request)
mark_as_authorized(request)
@app.call(env)
else
@response_app.call(env)
end
end