class HostAuthorization
Ruby on Rails 7.0.10
Since v6.0.6This middleware guards from DNS rebinding attacks by explicitly permitting the hosts a request can be sent to, and is passed the options set in config.host_authorization.
Requests can opt-out of Host Authorization with exclude:
config.host_authorization = { exclude: ->(request) { request.path =~ /healthcheck/ } }
When a request comes to an unauthorized host, the response_app application will be executed and rendered. If no response_app is given, a default one will run. The default response app logs blocked host info with level ‘error’ and responds with 403 Forbidden. The body of the response contains debug info if config.consider_all_requests_local is set to true, otherwise the body is empty.
Inherits from
Constants
- ActionDispatch::HostAuthorization::ALLOWED_HOSTS_IN_DEVELOPMENT
- ActionDispatch::HostAuthorization::IPV4_HOSTNAME
- ActionDispatch::HostAuthorization::IPV6_HOSTNAME
- ActionDispatch::HostAuthorization::IPV6_HOSTNAME_WITH_PORT
- ActionDispatch::HostAuthorization::PORT_REGEX
- ActionDispatch::HostAuthorization::VALID_IP_HOSTNAME
Methods (defined here)
Private methods
(3)
Implementation detail — not part of the public API.
Methods (inherited)
From Object (16)
- # acts_like?
- # blank?
- # deep_dup
- # duplicable?
- # html_safe?
- # in?
- # instance_values
- # instance_variable_names
- # presence
- # presence_in
- # present?
- # to_param
- # to_query
- # try
- # try!
- # with_options
From ActiveRecord::TestFixtures (4)
From ActiveSupport::Concern (3)
- # class_methods
- # included
- # prepended