This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to, and is passed the options set in config.host_authorization.
Requests can opt-out of Host Authorization with exclude:
config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }
When a request comes to an unauthorized host, the response_app application will be executed and rendered. If no response_app is given, a default one will run, which responds with 403 Forbidden.
Methods
Constants
| DEFAULT_RESPONSE_APP | = | -> env do request = Request.new(env) format = request.xhr? ? "text/plain" : "text/html" template = DebugView.new(host: request.host) body = template.render(template: "rescues/blocked_host", layout: "rescues/layout") [403, { "Content-Type" => "#{format}; charset=#{Response.default_charset}", "Content-Length" => body.bytesize.to_s, }, [body]] end |
Class Public methods
new(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil) Link
# File actionpack/lib/action_dispatch/middleware/host_authorization.rb, line 74 def initialize(app, hosts, deprecated_response_app = nil, exclude: nil, response_app: nil) @app = app @permissions = Permissions.new(hosts) @exclude = exclude unless deprecated_response_app.nil? ActiveSupport::Deprecation.warn(<<-MSG.squish) `action_dispatch.hosts_response_app` is deprecated and will be ignored in Rails 6.2. Use the Host Authorization `response_app` setting instead. MSG response_app ||= deprecated_response_app end @response_app = response_app || DEFAULT_RESPONSE_APP end
Instance Public methods
call(env) Link
# File actionpack/lib/action_dispatch/middleware/host_authorization.rb, line 91 def call(env) return @app.call(env) if @permissions.empty? request = Request.new(env) if authorized?(request) || excluded?(request) mark_as_authorized(request) @app.call(env) else @response_app.call(env) end end