Page 39 - Cyber Warnings
P. 39
Configuring Trusted Host Settings
Drupal has a feature that tries to automatically figure out the base URL of the site. Unless
explicitly configured. This can result in a host header attack taking place, specifically because
the ‘host’ HTTP header can be forged by an attacker and therefore cannot be trusted.
Fortunately, Drupal has a built-in method of working around this issue by explicitly defining
which hostsnames are to be accepted as valid host headers. This can be achieved by adding
the following to your Drupal site’s settings.php.
If a site is run off of a single, canonical domain, then you can include the following in
sites/default/settings.php to allow the site to only run from www.example.com.
$settings['trusted_host_patterns'] = array(
'^www\.example\.com$',
);
If you need to run a your site off of multiple domains, and are not redirecting to a singular
domain, then you can include the following in settings.php to allow the site to run off of
example.com and example.net, with all subdomains included.
$settings['trusted_host_patterns'] = array(
'^example\.com$',
'^.+\.example\.com$',
'^example\.net',
'^.+\.example\.net',
);
If we revisit Drupal’s status report, we can see the alert in the previous screenshot resolved.
39 Cyber Warnings E-Magazine – March 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
