Project

rack-allowed_hosts

0.0
Repository is archived
No commit activity in last 3 years
No release in over 3 years
rack-allowed_hostssynack/rack-allowed_hostsDocumentationSource CodeBug Tracker
Rack::AllowedHosts allows you to whitelist the hostnames allowed to serve the site. This is helpful to protect against Host Header Injection. See: https://acunetix.com/vulnerabilities/web/host-header-attack
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
 Popularity
Downloads
61,210
Stars
4
Forks
3
Watchers
12
 Releases
Current version
0.0.4
Total releases
3
First release
2015-08-16
Latest release
2017-01-06
 Issues
Open Issues
1
Closed Issues
0
Total Issues
1
Issue Closure Rate
0%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
5
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Average date of last 50 commits
2016-06-20
Reverse Dependencies
0

 Dependencies

Development

pry
>= 0
pry-byebug
>= 0
rspec
>= 0
 Project Readme

Rack::AllowedHosts

Host-Header Injection Protection

Usage

1. Install

gem 'rack-allowed_hosts'

2. Include Middleware

In config/application.rb, (if using Rails):

class MyApplication < Rails::Application
  ...
  if Rails.env == 'production'
    require 'rack/allowed_hosts'
    config.middleware.use Rack::AllowedHosts do

      # Allow root domain:
      allow 'myapp.com'

      # Allow our subdomains
      allow 'www.myapp.com', 'app.myapp.com'

      # Allow any subdomain with a wildcard
      allow '*.myapp.com'
      
      # Include subdomain from a configuration variable:
      # ENV['ALLOWED_HOSTS'] can be a string or an array of strings.
      allow ENV['ALLOWED_HOSTS']
    end
  end

Features

Pattern Matching

Wildcards (*) can be placed anywhere in the host pattern, and used to match any string, even including ..

So *.mydomain.com would match the following hosts:

  • platform.mydomain.com
  • www.mydomain.com
  • client.app.mydomain.com

This pattern would not match the following hosts:

  • mydomain.com - this pattern should be included separately if needed
  • mydomain.com.au
  • mydomain.com.otherwebsite.com

Warnings

Do not simply allow all hosts. This would defeat the purpose of using the middleware

Do not do this:

allow '*'

...or this...

allow '*.com'

...or any of these... (will enable anyone to spoof with mydomain.com.maliciousdomain.com)

allow 'mydomain.*'
allow 'mycomain.com.*'

...or this (will not match anything)

allow '*-something.mydomain.com'