Action Dispatch HostAuthorization
This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to, and is passed the options set in config.host_authorization
.
Requests can opt-out of Host Authorization with exclude
:
config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }
When a request comes to an unauthorized host, the response_app
application will be executed and rendered. If no response_app
is given, a default one will run. The default response app logs blocked host info with level ‘error’ and responds with 403 Forbidden
. The body of the response contains debug info if config.consider_all_requests_local
is set to true, otherwise the body is empty.
Methods
Constants
ALLOWED_HOSTS_IN_DEVELOPMENT | = | [".localhost", ".test", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")] |
Class Public methods
new(app, hosts, exclude: nil, response_app: nil)
📝 Source code
# File actionpack/lib/action_dispatch/middleware/host_authorization.rb, line 127
def initialize(app, hosts, exclude: nil, response_app: nil)
@app = app
@permissions = Permissions.new(hosts)
@exclude = exclude
@response_app = response_app || DefaultResponseApp.new
end
🔎 See on GitHub
Instance Public methods
call(env)
📝 Source code
# File actionpack/lib/action_dispatch/middleware/host_authorization.rb, line 135
def call(env)
return @app.call(env) if @permissions.empty?
request = Request.new(env)
hosts = blocked_hosts(request)
if hosts.empty? || excluded?(request)
mark_as_authorized(request)
@app.call(env)
else
env["action_dispatch.blocked_hosts"] = hosts
@response_app.call(env)
end
end
🔎 See on GitHub