Description:



It is possible to spoof the HTTP Host header for nefarious purposes, and trick Drupal into using a different domain name in several subsystems (particularly link generation). The Symfony framework provides a trusted host mechanism, where site administrators can whitelist hostnames. This mechanism can now be configured through settings.php.

$settings['trusted_host_patterns']

$settings['trusted_host_patterns'] should be an array of regular expression patterns, without delimiters, representing the hosts you would like to allow.

Examples

If a site is run off of a single, canonical domain, then


$settings['trusted_host_patterns'] = array(
'^www\.example\.com$',
);


will allow the site to only run from www.example.com. If you need to run a site off of multiple domains, and are not doing canonical URL redirection, then


$settings['trusted_host_patterns'] = array(
'^example\.com$',
'^.+\.example\.com$',
'^example\.org',
'^.+\.example\.org',
);


will allow the site to run off of all variants of example.com and example.org, with all subdomains included.