It is possible to spoof the HTTP Host header for nefarious purposes, and trick Drupal into using a different domain name in several subsystems (particularly link generation). The Symfony framework provides a trusted host mechanism, where site administrators can whitelist hostnames. This mechanism can now be configured through settings.php.
$settings['trusted_host_patterns']
$settings['trusted_host_patterns'] should be an array of regular expression patterns, without delimiters, representing the hosts you would like to allow.
Examples
If a site is run off of a single, canonical domain, then
$settings['trusted_host_patterns'] = array(
'^www\.example\.com$',
);
will allow the site to only run from www.example.com. If you need to run a site off of multiple domains, and are not doing canonical URL redirection, then
$settings['trusted_host_patterns'] = array(
'^example\.com$',
'^.+\.example\.com$',
'^example\.org',
'^.+\.example\.org',
);
will allow the site to run off of all variants of example.com and example.org, with all subdomains included.
Comments
I found this to be more helpful.
http://drupal.stackexchange.com/questions/145690/untrusted-host-localhos...
//
$settings['trusted_host_patterns'] = array(
'^example\.com$',
'^www\.example\.com$',
);
//
and move them to the bottom of the settings.php file:
add comment delimiters
Have to add comment delimiters, not just remove comment asterisks at beginning of line
*
*
*/
$settings['trusted_host_patterns'] = array(
'^example\.com$',
'^.+\.example\.com$',
);
/**
*
This works best
This solution allow you to keep it with the rest of the surrounding documentation. Adding the comment delimiters is the best way.
Trusted host patterns
Should I use the '^example\.com$', or put my domain '^apclass\.org$',
comment delimiters was key for me!
Thank you! It was not working because I just removed the asterisks too!
What about cyrillic domains
I have site located in zone "рф" (cyrillic)
How can set this parameter for it? It doesn't work with "рф" and in "xn--p1ai"
it work only with Punycode
it work only with Punycode (xn--p1ai)
Hello,
Hello,
I tried to add IP address to for example : 172.20.0.3
I get this error : The provided host name is not valid for this server.
Here my settings
working in localhost
$settings['trusted_host_patterns'] = array(
'^localhost$',
);
The above code worked in my localhost xampp PHP Version 5.6.11,as mentioned here: https://www.drupal.org/node/2622894
localhost addr
localhost is 127.0.0.1
domain end with com.cn
what if my domain is www.abcd.com.cn.
If '^www\.example\.com\.cn$' is right for this kind of domain? tks.
.co.uk configuration
Hi,
I'm trying to configure this for a domain that is similar to below:
www.testsite.co.uk/v8
the v8 is the subfolder that the URL re-directs to under the public_html directory.
I have tried all sorts of combinations but I just can't get it to work. Any suggestions would be most helpful.
Many thanks in advance.
How set the info that pointed above?
My OS is Ubuntu.And I installed docker.I created two containers and let them linked to each other.I succeed installed
drupal8.But my
Status Report
showed
Trusted Host Settings Not enabled
And next.I did this.root@f37d63cefbc0:/var/www/html/sites/default# vim settings.php
Add thisNow my browser can't open "localhost".
Can anyone tell me which step wrong ?And please forgive my poor English.Thanks.
Docker is going to make this
Docker is going to make this a bit more complicated.
You probably want to add back '^localhost$' and also '127.0.0.1' for good measure, there also may be a need for internal docker hostnames depending on your docker setup.
Thank you.
Thank you.
Include in original settings.php
Why hasn't this code and it's explanation been put into the distributed settings.php and been commented out already? That way it would be clear where to put it and how.
This is in the settings file
This is in the settings file (lines 700-735 for me). What do you think could be expanded in it?
Generic pattern
If you want to allow all domains, just to get rid of the error notice on the status page, add a generic pattern:
TRUSTED HOST SETTINGS Drupal8
thank you . it is worked well
$settings['trusted_host_patterns'] = [ '.*' ];
+1
+1, thanks, to keep safety, please remember to change back permissions to 444 on settings.php
Not working for me in XAMPP =(
error when trying to install core and external modules
$settings['trusted_host_patterns'] = array(
'^localhost$',
'^192\.168\.0\.22$',
'^127\.0\.0\.1$',
);
Have stopped and started XAMPP and cleared the cache - no change.
This is ridiculous! =(
Ensure code hasn't been commented out
I had all of the problems listed above, until I realised I had commented out the php code inadvertently (silly me).
Check that the code hasn't been accidentally embedded within /* and */ .
Nope.
Nope.
It is clear of a comment!
Thanks for the idea!
After much gnashing of teeth
After much gnashing of teeth I found this to be really clear so I thought I'd post the link. Hope that's ok:
https://www.youtube.com/watch?time_continue=409&v=FxIginfXTIU
Thank you!
This Helped me for WAMP ( Windows 10 )
Gonzalo Garcia
Freelance Webmaster
still having an error after modifying the settings.php file
added this code to my settings.php file already
but I'm still having the error in the Status report section.
It helped. Thank.
It helped. Thank.
Drupal 8.7.7 on the Linux Mint 18.2
Mon Sep 30 18:59:31 MSK 2019
with setup like following
with setup like following
example.org
d8.example.org
what should be the correct value for $settings['trusted_host_patterns']?
I tried all of the following and also individual value but still got "Not enabled" error in Status report. Is that error false positive or should I have to reinstall drupal8 again like @deanflory's comment at https://www.drupal.org/node/1992030/discuss
works good!
Thank you for help, works good, specially for subdomains.
Hi, i need a little help here
Hi, i need a little help here please !
I am running a Drupal 8.6 website on the subdomain me.goodname.com and it is worth to mention that the domain name goodname.com is running another Drupal 7 website which is not connected at all with the subdomaine me.goodname.com.
So my cpanel structure is a below:
-- (home)
------ (username)
------------ (public_html)
------------------- (me.goodname.com)
--------------------------- folders & files of drupal 8 website.
------------------- (goodname.com)
--------------------------- folders & files of drupal 7 website.
For the subdomain me.goodname.com, i create a redirect rule in .htaccess file to redirect www.me.goodname.com to me.goodname.com.
I understand that in the
trusted_host_patterns
of the me.goodname.com subdomain, i must mention both subdomains with www and without it.So what will be the
trusted_host_patterns
for the subdomain me.goodname.comDoes the below settings good ?
Thank you for any help,
The Examples
Not sure why this hasn't been caught already, but it looks like the '$' (dollar sign) is missing at the end of both '.org' examples in code set #2 above.
$settings['trusted_host
with the above, only www.temp.com works, how can I make it work for temp.com as well?
trusted_host_patterns and german umlaut url
I read all the comments here, but I need some more time and test to get german umlaut working with drupal.
When you have an url like "lübecker-abc.de" you can convert this to Punycode and get "xn--lbecker-abc-thb"
Here is the converter, thanks -sibero-
https://www.punycoder.com
So the trusted_host_patterns looks like:
How to implement trusted hosts settings in drupal 7
trusted hosts are supported by drupal 8 or higher, is there any settings available in drupal 7 application or similar solution that will protect d7 app from host header attack.
Thanks guys
I had just removed the asterisk’s and never read down further. After many hours scratching my head and searching, I finally read this entire page and realized that just removing the asterisk’s was not the correct way. For the past 3 months 6 of my Drupal sites have been open and now I have hopefully got it corrected.
I love Drupal. I played with Drupal back in its early days, 2005 and 2006, and something was telling me then that it was going to be something I would use!
Great job and I highly recommend Drupal to all my clients who need a cms. The Drupal Team is fantastic, and Drupal is the bomb!
Loyal Drupal Supporter!