Merge pull request #1803 from alphagov/configure-config-hosts

sarahseewhy · web-flow · commit b3f543af4e0d · 2025-12-30T13:14:31.000Z
Add config.hosts configuration to production
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -1,4 +1,5 @@
 require "active_support/core_ext/integer/time"
+require_relative "../../lib/host_patterns"
 
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
@@ -72,13 +73,10 @@
   config.active_support.report_deprecations = false
 
   # Enable DNS rebinding protection and other `Host` header attacks.
-  # config.hosts = [
-  #   "example.com",     # Allow requests from example.com
-  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
-  # ]
-  #
+  config.hosts = HostPatterns.allowed_host_patterns
+
   # Skip DNS rebinding protection for the default health check endpoint.
-  # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+  config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
 
   # Set ActiveRecord Encryption keys
   if ENV.key? "KMS_KEY_ID"
diff --git a/lib/host_patterns.rb b/lib/host_patterns.rb
@@ -0,0 +1,14 @@
+module HostPatterns
+  DEFAULT_HOST_PATTERNS = [
+    /submit\.forms\.service\.gov\.uk/,
+    /submit\.[^.]*\.forms\.service\.gov\.uk/,
+    /submit\.internal.[^.]*\.forms\.service\.gov\.uk/,
+    /pr-[^.]*\.submit\.review\.forms\.service\.gov\.uk/,
+  ].freeze
+
+  def self.allowed_host_patterns
+    additional_patterns = ENV.fetch("ALLOWED_HOST_PATTERNS", "").split(",").map { |pattern| Regexp.new(pattern.strip) }
+
+    [*DEFAULT_HOST_PATTERNS, *additional_patterns]
+  end
+end
