Change record status: 
Project: 
Introduced in branch: 
8.0.x
Description: 

It is possible to spoof the HTTP Host header for nefarious purposes, and trick Drupal into using a different domain name in several subsystems (particularly link generation). The Symfony framework provides a trusted host mechanism, where site administrators can whitelist hostnames. This mechanism can now be configured through settings.php.

$settings['trusted_host_patterns']

$settings['trusted_host_patterns'] should be an array of regular expression patterns, without delimiters, representing the hosts you would like to allow.

Examples

If a site is run off of a single, canonical domain, then

$settings['trusted_host_patterns'] = array(
  '^www\.example\.com$',
);

will allow the site to only run from www.example.com. If you need to run a site off of multiple domains, and are not doing canonical URL redirection, then


$settings['trusted_host_patterns'] = array(
  '^example\.com$',
  '^.+\.example\.com$',
  '^example\.org',
  '^.+\.example\.org',
);

will allow the site to run off of all variants of example.com and example.org, with all subdomains included.

Impacts: 
Site builders, administrators, editors
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done

Comments

Hancock Glen’s picture

http://drupal.stackexchange.com/questions/145690/untrusted-host-localhos...

//
$settings['trusted_host_patterns'] = array(
'^example\.com$',
'^www\.example\.com$',
);

//

and move them to the bottom of the settings.php file:

carlvault’s picture

Have to add comment delimiters, not just remove comment asterisks at beginning of line

*
*
*/

$settings['trusted_host_patterns'] = array(
'^example\.com$',
'^.+\.example\.com$',
);

/**
*

ElegantSolutions’s picture

This solution allow you to keep it with the rest of the surrounding documentation. Adding the comment delimiters is the best way.

Positiff’s picture

I have site located in zone "рф" (cyrillic)

How can set this parameter for it? It doesn't work with "рф" and in "xn--p1ai"

-sibero-’s picture

it work only with Punycode (xn--p1ai)

joeland’s picture

Hello,

I tried to add IP address to for example : 172.20.0.3
I get this error : The provided host name is not valid for this server.

Here my settings

$settings['trusted_host_patterns'] = array(
  '^172\.20.\0.\3$',
  '^localhost$',
);
srikanth.g’s picture

$settings['trusted_host_patterns'] = array(
'^localhost$',
);

The above code worked in my localhost xampp PHP Version 5.6.11,as mentioned here: https://www.drupal.org/node/2622894

dminca’s picture

localhost is 127.0.0.1

geidin’s picture

what if my domain is www.abcd.com.cn.
If '^www\.example\.com\.cn$' is right for this kind of domain? tks.

hollpe’s picture

Hi,

I'm trying to configure this for a domain that is similar to below:

www.testsite.co.uk/v8

the v8 is the subfolder that the URL re-directs to under the public_html directory.

I have tried all sorts of combinations but I just can't get it to work. Any suggestions would be most helpful.

Many thanks in advance.

jayly’s picture

My OS is Ubuntu.And I installed docker.I created two containers and let them linked to each other.I succeed installed
drupal8.But my

Status Report

showedTrusted Host Settings Not enabled And next.I did this.root@f37d63cefbc0:/var/www/html/sites/default# vim settings.php Add this

$settings['trusted_host_patterns'] = array(
  '^example\.com$',
  '^.+\.example\.com$',
  '^example\.org',
  '^.+\.example\.org',
);

Now my browser can't open "localhost".
Can anyone tell me which step wrong ?And please forgive my poor English.Thanks.

mrf’s picture

Docker is going to make this a bit more complicated.

You probably want to add back '^localhost$' and also '127.0.0.1' for good measure, there also may be a need for internal docker hostnames depending on your docker setup.

jayly’s picture

Thank you.

spade’s picture

Why hasn't this code and it's explanation been put into the distributed settings.php and been commented out already? That way it would be clear where to put it and how.

mpdonadio’s picture

This is in the settings file (lines 700-735 for me). What do you think could be expanded in it?

drubb’s picture

If you want to allow all domains, just to get rid of the error notice on the status page, add a generic pattern:

$settings['trusted_host_patterns'] = [ '.*' ];
FreeXenon’s picture

error when trying to install core and external modules

$settings['trusted_host_patterns'] = array(
'^localhost$',
'^192\.168\.0\.22$',
'^127\.0\.0\.1$',
);

Have stopped and started XAMPP and cleared the cache - no change.
This is ridiculous! =(

xavocambo’s picture

I had all of the problems listed above, until I realised I had commented out the php code inadvertently (silly me).

Check that the code hasn't been accidentally embedded within /* and */ .

FreeXenon’s picture

Nope.
It is clear of a comment!

Thanks for the idea!