Host header injection

Question

Host header injection

sunny opened this issue 7 years ago · comments

The following point does not seem to be doing any help against host header injection (and cache poisoning):

Prevent host header injection - add the following to config/environments/production.rb
config.action_controller.default_url_options = {host: "www.yoursite.com"}
config.action_controller.asset_host = "www.yoursite.com"

On a Rails app with this configuration in development and calling curl -H "Host: example.com" http://localhost:3000/ on a page that contains, for example, <%= root_url %>, prints out "example.com" instead of "localhost:3000".

Andrew Kane · Answer 1 · Tue Feb 14 2017 12:30:52 GMT+0800 (China Standard Time)

Hey @sunny, be sure to restart your web server after updating config/environments/* files. I just tested on Rails 4.2 and 5 and it works as expected.

Sunny Ripert · Answer 2 · Tue Feb 14 2017 22:59:57 GMT+0800 (China Standard Time)

Hey @ankane thanks for testing this out. It actually comes from the fact that I tested this on a Rails 3 app… Sorry for the bother! :/

For anybody finding this that is still on Rails 3, I opted for the rack-ssl-enforcer gem with the redirect_to to option which forces the correct domain and prevents the injection from having any effect.

Thomas Balsløv · Answer 3 · Thu Aug 03 2017 17:07:47 GMT+0800 (China Standard Time)

Also see rails/rails#29893