Blocked host on Rails 6

Manfred Stienstra

If you’re upgrading to Rails 6 you may find the following error in your browser:

To allow requests to hostname, add the following to your environment configuration:

config.hosts << "hostname"

You ran into Host Authorization, new middleware included in Rails to prevent against DNS rebinding attacks.

By default this feature allows requests from, ::, and localhost. There are basically two ways to work around this.

The first option is to whitelist the development hostname in config/environments/development.rb.

Rails.application.configure do
  # Whitelist one hostname
  config.hosts << "hostname"
  # Whitelist a test domain. Rails adds \A and \z around
  # your regular expressions.
  config.hosts << /application\.local/

The second option is to clear the entire whitelist, which lets through requests for all hostnames.

Rails.application.configure do

Never whitelist everything in production as it essentially turns off the feature.