aboutsummaryrefslogtreecommitdiffstats
path: root/actionview/lib/action_view/context.rb
diff options
context:
space:
mode:
authorGenadi Samokovarov <gsamokovarov@gmail.com>2018-06-14 11:09:00 +0300
committerGenadi Samokovarov <gsamokovarov@gmail.com>2018-12-15 20:18:51 +0200
commit07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f (patch)
treef6c0bde72b359af9ca6a8e4a1937bc4b2a848563 /actionview/lib/action_view/context.rb
parentce48b5a366482d4b4c4c053e1e39e79d71987197 (diff)
downloadrails-07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f.tar.gz
rails-07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f.tar.bz2
rails-07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f.zip
Introduce a guard against DNS rebinding attacks
The ActionDispatch::HostAuthorization is a new middleware that prevent against DNS rebinding and other Host header attacks. By default it is included only in the development environment with the following configuration: Rails.application.config.hosts = [ IPAddr.new("0.0.0.0/0"), # All IPv4 addresses. IPAddr.new("::/0"), # All IPv6 addresses. "localhost" # The localhost reserved domain. ] In other environments, `Rails.application.config.hosts` is empty and no Host header checks will be done. If you want to guard against header attacks on production, you have to manually permit the allowed hosts with: Rails.application.config.hosts << "product.com" The host of a request is checked against the hosts entries with the case operator (#===), which lets hosts support entries of type RegExp, Proc and IPAddr to name a few. Here is an example with a regexp. # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << /.*\.product\.com/ A special case is supported that allows you to permit all sub-domains: # Allow requests from subdomains like `www.product.com` and # `beta1.product.com`. Rails.application.config.hosts << ".product.com"
Diffstat (limited to 'actionview/lib/action_view/context.rb')
0 files changed, 0 insertions, 0 deletions