diff options
| author | Genadi Samokovarov <gsamokovarov@gmail.com> | 2018-06-14 11:09:00 +0300 |
|---|---|---|
| committer | Genadi Samokovarov <gsamokovarov@gmail.com> | 2018-12-15 20:18:51 +0200 |
| commit | 07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f (patch) | |
| tree | f6c0bde72b359af9ca6a8e4a1937bc4b2a848563 /railties/CHANGELOG.md | |
| parent | ce48b5a366482d4b4c4c053e1e39e79d71987197 (diff) | |
| download | rails-07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f.tar.gz rails-07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f.tar.bz2 rails-07ec8062e605ba4e9bd153e1d264b02ac4ab8a0f.zip | |
Introduce a guard against DNS rebinding attacks
The ActionDispatch::HostAuthorization is a new middleware that prevent
against DNS rebinding and other Host header attacks. By default it is
included only in the development environment with the following
configuration:
Rails.application.config.hosts = [
IPAddr.new("0.0.0.0/0"), # All IPv4 addresses.
IPAddr.new("::/0"), # All IPv6 addresses.
"localhost" # The localhost reserved domain.
]
In other environments, `Rails.application.config.hosts` is empty and no
Host header checks will be done. If you want to guard against header
attacks on production, you have to manually permit the allowed hosts
with:
Rails.application.config.hosts << "product.com"
The host of a request is checked against the hosts entries with the case
operator (#===), which lets hosts support entries of type RegExp,
Proc and IPAddr to name a few. Here is an example with a regexp.
# Allow requests from subdomains like `www.product.com` and
# `beta1.product.com`.
Rails.application.config.hosts << /.*\.product\.com/
A special case is supported that allows you to permit all sub-domains:
# Allow requests from subdomains like `www.product.com` and
# `beta1.product.com`.
Rails.application.config.hosts << ".product.com"
Diffstat (limited to 'railties/CHANGELOG.md')
| -rw-r--r-- | railties/CHANGELOG.md | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md index ff6a00f82b..59024b13ef 100644 --- a/railties/CHANGELOG.md +++ b/railties/CHANGELOG.md @@ -1,3 +1,38 @@ +* Introduce guard against DNS rebinding attacks + + The `ActionDispatch::HostAuthorization` is a new middleware that prevent + against DNS rebinding and other `Host` header attacks. It is included in + the development environment by default with the following configuration: + + Rails.application.config.hosts = [ + IPAddr.new("0.0.0.0/0"), # All IPv4 addresses. + IPAddr.new("::/0"), # All IPv6 addresses. + "localhost" # The localhost reserved domain. + ] + + In other environments `Rails.application.config.hosts` is empty and no + `Host` header checks will be done. If you want to guard against header + attacks on production, you have to manually whitelist the allowed hosts + with: + + Rails.application.config.hosts << "product.com" + + The host of a request is checked against the `hosts` entries with the case + operator (`#===`), which lets `hosts` support entries of type `RegExp`, + `Proc` and `IPAddr` to name a few. Here is an example with a regexp. + + # Allow requests from subdomains like `www.product.com` and + # `beta1.product.com`. + Rails.application.config.hosts << /.*\.product\.com/ + + A special case is supported that allows you to whitelist all sub-domains: + + # Allow requests from subdomains like `www.product.com` and + # `beta1.product.com`. + Rails.application.config.hosts << ".product.com" + + *Genadi Samokovarov* + * Remove redundant suffixes on generated helpers. *Gannon McGibbon* |