Rack::AllowedHosts

Host-Header Injection Protection

Usage

1. Install

gem 'rack-allowed_hosts'

2. Include Middleware

In config/application.rb, (if using Rails):

class MyApplication < Rails::Application
  ...
  if Rails.env == 'production'
    require 'rack/allowed_hosts'
    config.middleware.use Rack::AllowedHosts do

      # Allow root domain:
      allow 'myapp.com'

      # Allow our subdomains
      allow 'www.myapp.com', 'app.myapp.com'

      # Allow any subdomain with a wildcard
      allow '*.myapp.com'
      
      # Include subdomain from a configuration variable:
      # ENV['ALLOWED_HOSTS'] can be a string or an array of strings.
      allow ENV['ALLOWED_HOSTS']
    end
  end

Features

Pattern Matching

Wildcards (*) can be placed anywhere in the host pattern, and used to match any string, even including ..

So *.mydomain.com would match the following hosts:

• platform.mydomain.com
• www.mydomain.com
• client.app.mydomain.com

This pattern would not match the following hosts:

• mydomain.com - this pattern should be included separately if needed
• mydomain.com.au
• mydomain.com.otherwebsite.com

Warnings

Do not simply allow all hosts. This would defeat the purpose of using the middleware

Do not do this:

allow '*'

...or this...

allow '*.com'

...or any of these... (will enable anyone to spoof with mydomain.com.maliciousdomain.com)

allow 'mydomain.*'
allow 'mycomain.com.*'

...or this (will not match anything)

allow '*-something.mydomain.com'