Skip to content

Commit 2c280ba

Browse files
xabbuhxabbuh
committed
minor #10138 Fix docs on trusted hosts (fabpot)
This PR was squashed before being merged into the 2.8 branch (closes #10138). Discussion ---------- Fix docs on trusted hosts Trusted hosts are always regular expressions. Commits ------- e2744ad Fix docs on trusted hosts
2 parents 8247d44 + e2744ad commit 2c280ba

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

reference/configuration/framework.rst

+9-9
Original file line numberDiff line numberDiff line change
@@ -379,16 +379,16 @@ method might be vulnerable to some of these attacks because it depends on
379379
the configuration of your web server. One simple solution to avoid these
380380
attacks is to whitelist the hosts that your Symfony application can respond
381381
to. That's the purpose of this ``trusted_hosts`` option. If the incoming
382-
request's hostname doesn't match one in this list, the application won't
383-
respond and the user will receive a 500 response.
382+
request's hostname doesn't match one of the regular expressions in this list,
383+
the application won't respond and the user will receive a 400 response.
384384

385385
.. configuration-block::
386386

387387
.. code-block:: yaml
388388
389389
# app/config/config.yml
390390
framework:
391-
trusted_hosts: ['example.com', 'example.org']
391+
trusted_hosts: ['^example\.com$', '^example\.org$']
392392
393393
.. code-block:: xml
394394
@@ -402,8 +402,8 @@ respond and the user will receive a 500 response.
402402
http://symfony.com/schema/dic/symfony http://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
403403
404404
<framework:config>
405-
<framework:trusted-host>example.com</framework:trusted-host>
406-
<framework:trusted-host>example.org</framework:trusted-host>
405+
<framework:trusted-host>^example\.com$</framework:trusted-host>
406+
<framework:trusted-host>^example\.org$</framework:trusted-host>
407407
<!-- ... -->
408408
</framework:config>
409409
</container>
@@ -412,17 +412,17 @@ respond and the user will receive a 500 response.
412412
413413
// app/config/config.php
414414
$container->loadFromExtension('framework', array(
415-
'trusted_hosts' => array('example.com', 'example.org'),
415+
'trusted_hosts' => array('^example\.com$', '^example\.org$'),
416416
));
417417
418-
Hosts can also be configured using regular expressions (e.g. ``^(.+\.)?example.com$``),
419-
which make it easier to respond to any subdomain.
418+
Hosts can also be configured to respond to any subdomain, via
419+
``^(.+\.)?example\.com$`` for instance.
420420

421421
In addition, you can also set the trusted hosts in the front controller
422422
using the ``Request::setTrustedHosts()`` method::
423423

424424
// web/app.php
425-
Request::setTrustedHosts(array('^(.+\.)?example.com$', '^(.+\.)?example.org$'));
425+
Request::setTrustedHosts(array('^(.+\.)?example\.com$', '^(.+\.)?example\.org$'));
426426

427427
The default value for this option is an empty array, meaning that the application
428428
can respond to any given host.

0 commit comments

Comments
 (0)