Only allowed hostnames can access the site

This is a common thing that comes out of pentests, so is worth having across all of our projects.
dxw · Feb 19, 2021 · 4000637 · 4000637
1 parent 9c31c40
commit 4000637
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/.env.example b/.env.example
@@ -11,3 +11,11 @@ ROLLBAR_ENV=development
 
 # TODO: Replace `rails-template` with the name of the app.
 DATABASE_URL=postgres://postgres@localhost:5432/rails-template-development
+
+# TODO: Replace `example.com` with the canonical hostname of the app
+CANONICAL_HOSTNAME=example.com
+
+# TODO: Add a comma seperated list of any other hostnames you want to
+# app to respond to and redirect to the canonical hostname, or delete
+# this line completely
+ADDITIONAL_HOSTNAMES=
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -93,6 +93,15 @@
   # Do not dump schema after migrations.
   config.active_record.dump_schema_after_migration = false
 
+  # See https://github.com/rails/rails/issues/29893
+  # This only allows hosts the application can trust when using `url_for` and related helpers
+  if ENV["CANONICAL_HOSTNAME"].present?
+    hosts = []
+    hosts << ENV["CANONICAL_HOSTNAME"]
+    hosts += ENV["ADDITIONAL_HOSTNAMES"].split(",").map { |domain| domain } if ENV["ADDITIONAL_HOSTNAMES"].present?
+    config.hosts = hosts.compact
+  end
+
   # Inserts middleware to perform automatic connection switching.
   # The `database_selector` hash is used to pass options to the DatabaseSelector
   # middleware. The `delay` is used to determine how long to wait after a write