From 03c58fd698e9d0f9ea52920570fd54d425209800 Mon Sep 17 00:00:00 2001 From: Bruce Bolt Date: Tue, 8 Oct 2024 10:26:36 +0100 Subject: [PATCH] Configure hosts for application Note: the healthcheck endpoints are requested by IP, not domain, so we need to specifically exclude them from the protection. --- config/environments/production.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/config/environments/production.rb b/config/environments/production.rb index 917b2f2112..7e1c568822 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -93,10 +93,10 @@ config.active_job.logger = Sidekiq.logger # Enable DNS rebinding protection and other `Host` header attacks. - # config.hosts = [ - # "example.com", # Allow requests from example.com - # /.*\.example\.com/ # Allow requests from subdomains like `www.example.com` - # ] + config.hosts = [ + /content-publisher\..*gov.uk?/, + ] + # Skip DNS rebinding protection for the default health check endpoint. - # config.host_authorization = { exclude: ->(request) { request.path == "/up" } } + config.host_authorization = { exclude: ->(request) { request.path.match?("^\/healthcheck") } } end