Add dynamic config to control allowed Host headers #6750
Conversation
bergundy
force-pushed
the
http-allowed-hosts
branch
from
2a54283
to
f09b0fa
Compare
bergundy
force-pushed
the
http-allowed-hosts
branch
2 times, most recently
from
9b985f0
to
c169e01
Compare
common/dynamicconfig/constants.go
Outdated
|
|
||
| FrontendHTTPAllowedHosts = NewGlobalTypedSetting( | ||
| "frontend.httpAllowedHosts", | ||
| []string{"*"}, |
There was a problem hiding this comment.
you can't use a non-nil reference for the default value because of how the default converter works (it does a shallow copy and then asks mapstructure to fill it in). this has to be []string(nil) and then handle the nil in application code (or in your second level converter)
There was a problem hiding this comment.
Can you elaborate why this is a problem? I'm not sure I'm following. Are you saying that mapstructure will append to this default?
Seems like a usability issue. You can't expect to be the gatekeeper for all DC changing PRs.
There was a problem hiding this comment.
I know :( It should be commented somewhere but I'm not sure where, there's no obvious place for the "api" for defining settings.
I was planning to add a linter or a runtime check using reflection at static init time.
bergundy
force-pushed
the
http-allowed-hosts
branch
from
9a30eb6
to
f5bf8c3
Compare
What changed?
Add a dynamic config to restrict which HTTP
Hostheader values are allowed in HTTP API requests.Why?
Prevent DNS rebinding attacks.
How did you test it?
Added a functional test.