Contents

= New Features

* A host_authorization plugin has been added to verify the requested
  Host header is authorized.  Using it can prevent DNS rebinding
  attacks in cases where the application can receive requests for
  arbitrary hosts.

  To check for authorized hosts in your routing tree, you call the
  check_host_authorization! method.  For example, if you want to
  check for authorized hosts after serving requests for public
  files, you could do:

    plugin :public
    plugin :host_authorization, 'my-domain-name.example.com'

    route do |r|
      r.public
      check_host_authorized!

      # ... rest of routing tree
    end

  In addition to handling single domain names via a string, you can
  provide an array of domain names, a regexp to match again, or a
  proc.
  
  By default, requests using unauthorized hosts receive an empty 403
  response.  If you would like to customize the response, you can
  pass a block when loading the plugin:

    plugin :host_authorization, 'my-domain-name.example.com' do |r|
      response.status = 403
      "Response Body Here"
    end

Version data entries

41 entries across 41 versions & 1 rubygems

Version	Path
roda-3.83.0	doc/release_notes/3.43.0.txt
roda-3.82.0	doc/release_notes/3.43.0.txt
roda-3.81.0	doc/release_notes/3.43.0.txt
roda-3.79.0	doc/release_notes/3.43.0.txt
roda-3.78.0	doc/release_notes/3.43.0.txt
roda-3.77.0	doc/release_notes/3.43.0.txt
roda-3.76.0	doc/release_notes/3.43.0.txt
roda-3.75.0	doc/release_notes/3.43.0.txt
roda-3.74.0	doc/release_notes/3.43.0.txt
roda-3.73.0	doc/release_notes/3.43.0.txt
roda-3.72.0	doc/release_notes/3.43.0.txt
roda-3.71.0	doc/release_notes/3.43.0.txt
roda-3.70.0	doc/release_notes/3.43.0.txt
roda-3.69.0	doc/release_notes/3.43.0.txt
roda-3.68.0	doc/release_notes/3.43.0.txt
roda-3.67.0	doc/release_notes/3.43.0.txt
roda-3.66.0	doc/release_notes/3.43.0.txt
roda-3.65.0	doc/release_notes/3.43.0.txt
roda-3.64.0	doc/release_notes/3.43.0.txt
roda-3.63.0	doc/release_notes/3.43.0.txt