ActionDispatch::HostAuthorization
This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to, and is passed the options set in config.host_authorization.
Requests can opt-out of Host Authorization with exclude:
config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }
When a request comes to an unauthorized host, the response_app application will be executed and rendered. If no response_app is given, a default one will run, which responds with 403 Forbidden.
Constants
DEFAULT_RESPONSE_APP = -> env do\nrequest = Request.new(env)\n\nformat = request.xhr? ? "text/plain" : "text/html"\ntemplate = DebugView.new(host: request.host)\nbody = template.render(template: "rescues/blocked_host", layout: "rescues/layout")\n\n[403, {\n"Content-Type" => "#{format}; charset=#{Response.default_charset}",\n"Content-Length" => body.bytesize.to_s,\n}, [body]]\nend
Files
- actionpack/lib/action_dispatch/middleware/host_authorization.rb
