Blocked host on Rails 6

Manfred Stienstra

If you’re upgrading to Rails 6 you may find the following error in your browser:

To allow requests to hostname, add the following to your environment configuration:

config.hosts << "hostname"

You ran into Host Authorization, new middleware included in Rails to prevent against DNS rebinding attacks.

By default this feature allows requests from 0.0.0.0, ::, and localhost. There are basically two ways to work around this.

The first option is to whitelist the development hostname in config/environments/development.rb.

Rails.application.configure do
  # Whitelist one hostname
  config.hosts << "hostname"
  # Whitelist a test domain
  config.hosts << /application\.local\Z/
end

The second option is to clear the entire whitelist, which lets through requests for all hostnames.

Rails.application.configure do
  config.hosts.clear
end

Never whitelist everything in production as it essentially turns off the feature.