As of slightly over a week ago, Drupal 8 permits you to hardwire in settings.php
not just the old $base_url
default, but a list of regular expressions which, if the incoming request domain doesn't match any of them, cause the server to respond to the browser with HTTP 500: effectively what looks to the world like a server error. This is in addition to the options of configuring your webserver layer to do the same.
What this means is that, once you've got the setting in place, people can't—maliciously or otherwise—request pages from your Drupal codebase, but spoofing a different domain name. This can potentially lead to poisoning of your cache or your cron. You can block this at other layers too, but blocking in Drupal can lead to more intelligent behaviour if you need it.
Locking down permitted domains is trivial: add the following configuration into settings.php:
$settings['trusted_host_patterns'] = array( '^www\.example\.com$', );
There's more detailed information on the D8 change record for this new functionality. Note that, if you're doing local development, you might get (temporarily) locked out of your site by the above configuration on its own. You should add another trusted host pattern for '^localhost$' in this case.
All of your options for blocking such requests are covered on this d.o documentation page on protecting against them, and I've just added the new D8 behaviour to the bottom of the page myself. Why not download the latest D8 beta and give it a try?
Comments
Fiki Firmansyah (not verified)
Fri, 15/04/2016 - 20:57
Permalink
$settings['trusted_host
$settings['trusted_host_patterns'] = array(
'^yourwebsite\.com$',
'^www\.yourwebsite\.com$',
);
it fixed my problem.
jp.stacey
Sat, 16/04/2016 - 09:06
Permalink
You don't say what your
You don't say what your problem is, but that's certainly a valid trusted_host_patterns array. As I mention, you might also want to add '^localhost$' as an entry alongside your www and non-www variants.