Class: ActionDispatch::HostAuthorization
| Relationships & Source Files | |
| Inherits: | Object |
| Defined in: | actionpack/lib/action_dispatch/middleware/host_authorization.rb |
Overview
This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to, and is passed the options set in config.host_authorization.
Requests can opt-out of Host Authorization with exclude:
config. = { exclude: ->(request) { request.path =~ /healthcheck/ } }When a request comes to an unauthorized host, the response_app application will be executed and rendered. If no response_app is given, a default one will run. The default response app logs blocked host info with level ‘error’ and responds with 403 Forbidden. The body of the response contains debug info if config.consider_all_requests_local is set to true, otherwise the body is empty.
Constant Summary
-
ALLOWED_HOSTS_IN_DEVELOPMENT =
# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 21[".localhost", IPAddr.new("0.0.0.0/0"), IPAddr.new("::/0")]
Class Method Summary
Instance Method Summary
Constructor Details
.new(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil) ⇒ HostAuthorization
# File 'actionpack/lib/action_dispatch/middleware/host_authorization.rb', line 124
def initialize(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil) @app = app @permissions = Permissions.new(hosts) @exclude = exclude unless deprecated_response_app.nil? ActiveSupport::Deprecation.warn(<<-MSG.squish) `action_dispatch.hosts_response_app` is deprecated and will be ignored in Rails 7.0. Use the Host Authorization `response_app` setting instead. MSG response_app ||= deprecated_response_app end @response_app = response_app || DefaultResponseApp.new end