Jump to content
DrQuincy

What does $config->httpHosts do?

Recommended Posts

In site/config I always thought $config->httpHosts was a list of HTTP hosts that were allowed to run the site. E.g. if domain1.com, www.domain1.com, domain2.com and www.domain2.com were all pointing to the web root and you only had ['domain1.com', 'www.domain1.com'] in $config->httpHosts then it prevents domain2.com and www.domain2.com from being allowed on the site (so you'd redirect them site-wide via .htaccess instead).

But I have just been playing around with it and it doesn't seem to make a difference what the values of this array are.

What does $config->httpHosts do exactly?

Thanks.

Share this post


Link to post
Share on other sites
1 hour ago, DrQuincy said:

What does $config->httpHosts do exactly?

Nearly nothing. Displays a warning in the backend and "HTML Markup Quality Assurance" displays a message in debug mode when sleepLinks() detects an absolute URL in a textarea field that does not refer to an allowed host.


However, you can add functionality to check the current host.

$this->wire('config')->httpHost

https://processwire.com/api/ref/config/#pwapi-methods-HTTP-and-input
https://processwire.com/docs/start/variables/config/#httphosts

Share this post


Link to post
Share on other sites
2 hours ago, DrQuincy said:

(so you'd redirect them site-wide via .htaccess instead).

If you need redirecting to the final domain name, you may have a look to this snippet. But you have to add it manually somewhere in the top of your root .htaccess file.

################################################################################
# Domain-Namen erzwingen
#
<IfModule mod_rewrite.c>

    RewriteEngine On
    AddDefaultCharset UTF-8

    RewriteCond %{HTTP_HOST} ^example\.com                     [OR]
    RewriteCond %{HTTP_HOST} ^example-variation\.com           [OR]
    RewriteCond %{HTTP_HOST} ^www\.example-variation\.com
    RewriteRule ^(.*)$ https://www.example.com/$1              [L,R=301]

    RewriteCond %{HTTPS} !=on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}        [L,R=301]

</IfModule>
#
################################################################################

 

  • Like 2

Share this post


Link to post
Share on other sites

Probably worth mentioning that since this setting prevents ProcessWire from using unfamiliar hosts in output, it's actually pretty important:

  • Let's say that your server was configured to serve your site with any host that a visitor happens to provide. (I've seen this happen, but admittedly it's a major configuration fumble.)
  • Someone points some-weird-and-perhaps-malicious-domain.tld to your site, and then visits the site using said domain. This could be intentional, or even an accident (again this is something I've seen happen, as weird as it may sound.)
  • Finally some code — your own, or perhaps code from a third party module, or even some core feature — asks ProcessWire for the full hostname, and makes use of it in output.

Now, if the $config->httpHosts setting didn't exist, ProcessWire would have no way to know which domains are valid, and it would just have to trust that the domain specified by the user is indeed a valid one. Any output using this potentially malicious domain could then get cached, leading to various cache poisoning related issues: redirecting other visitors to this domain, or perhaps making the visitor or ProcessWire itself unknowingly send private data there, thus granting a third party access to it.

 

  • Like 6

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...