3.43.0.txt

doc/release_notes/3.43.0.txt
Last Update: 2021-04-12 11:10:19 -0700

New Features

  • A host_authorization plugin has been added to verify the requested Host header is authorized. Using it can prevent DNS rebinding attacks in cases where the application can receive requests for arbitrary hosts.

    To check for authorized hosts in your routing tree, you call the check_host_authorization! method. For example, if you want to check for authorized hosts after serving requests for public files, you could do:

    plugin :public
    plugin :host_authorization, 'my-domain-name.example.com'
    
    route do |r|
      r.public
      check_host_authorized!
    
      # ... rest of routing tree
    end

    In addition to handling single domain names via a string, you can provide an array of domain names, a regexp to match again, or a proc.

    By default, requests using unauthorized hosts receive an empty 403 response. If you would like to customize the response, you can pass a block when loading the plugin:

    plugin :host_authorization, 'my-domain-name.example.com' do |r|
      response.status = 403
      "Response Body Here"
    end