Host header injection
sunny opened this issue · comments
The following point does not seem to be doing any help against host header injection (and cache poisoning):
Prevent host header injection - add the following to
config/environments/production.rb
config.action_controller.default_url_options = {host: "www.yoursite.com"} config.action_controller.asset_host = "www.yoursite.com"
On a Rails app with this configuration in development and calling curl -H "Host: example.com" http://localhost:3000/
on a page that contains, for example, <%= root_url %>
, prints out "example.com" instead of "localhost:3000".
Hey @sunny, be sure to restart your web server after updating config/environments/*
files. I just tested on Rails 4.2 and 5 and it works as expected.
Hey @ankane thanks for testing this out. It actually comes from the fact that I tested this on a Rails 3 app… Sorry for the bother! :/
For anybody finding this that is still on Rails 3, I opted for the rack-ssl-enforcer
gem with the redirect_to
to option which forces the correct domain and prevents the injection from having any effect.
Also see rails/rails#29893