host-validation-middleware

![npm version](https://badge.fury.io/js/host-validation-middleware) !CI ![MIT License](LICENSE)

Middleware for validating host headers in requests to protect against DNS rebinding attacks.

> [!NOTE]
> DNS rebinding attacks are not effective against HTTPS sites. Since HTTPS is now commonly used for production environments, this middleware is generally unnecessary for production sites.

Install

shell

npm i -D host-validation-middleware # pnpm add -D host-validation-middleware





Usage



$3



This middleware is compatible with Connect and frameworks like Express that support Connect-style middleware.

ts

import connect from 'connect'

import { hostValidationMiddleware } from 'host-validation-middleware'



const app = connect()



app.use(

  hostValidationMiddleware({

    // Values starting with

 will allow all the subdomains under that domain

    allowedHosts: Object.freeze(['example.com', '.mydomain.com']),

    // Optionally customize the error message:

    generateErrorMessage: hostname =>

Access denied for host: ${hostname}

,

    // Optionally set the error response content type:

    errorResponseContentType: 'text/plain'

  })

)



app.use((req, res) => {

  res.end('Hello, world!')

})



app.listen(3000, () => {

  console.log('Server running on http://localhost:3000')

})





If the host header is not in the allowed hosts list, a 403 Forbidden response is sent.



$3



You can also use the core host validation logic directly:

ts

import { isHostAllowed } from 'host-validation-middleware'



const allowedHosts = Object.freeze(['example.com', '.mydomain.com'])



console.log(isHostAllowed('example.com', allowedHosts)) // true

console.log(isHostAllowed('sub.mydomain.com', allowedHosts)) // true

console.log(isHostAllowed('evil.com', allowedHosts)) // false





This function will cache the result if the

allowedHosts

 array is frozen.



Allowed Hosts



The host names listed in the

allowedHosts

 options will be allowed.

If the host name starts with a dot, the domain without the dot and any subdomain of it will be allowed.



- Example: With

allowedHosts: ['example.com', '.mydomain.com']

:

  - Requests to

example.com

 are allowed.

  - Requests to

mydomain.com, foo.mydomain.com, bar.foo.mydomain.com

 are also allowed.



Also the following hosts that cannot be used for DNS rebinding attacks are always allowed:



- Any

localhost or subdomain of localhost (e.g., localhost, foo.localhost

)

- Any IPv4 or IPv6 address (e.g.,

127.0.0.1, [::1]

)

- Any host using the

file:

 or browser extension protocol



Credits



The API interface and the original implementation is based on

webpack-dev-server's allowedHosts` option.

host-validation-middleware

Install

shell

npm i -D host-validation-middleware # pnpm add -D host-validation-middleware





Usage



$3



This middleware is compatible with Connect and frameworks like Express that support Connect-style middleware.

ts

import connect from 'connect'

import { hostValidationMiddleware } from 'host-validation-middleware'



const app = connect()



app.use(

  hostValidationMiddleware({

    // Values starting with

 will allow all the subdomains under that domain

    allowedHosts: Object.freeze(['example.com', '.mydomain.com']),

    // Optionally customize the error message:

    generateErrorMessage: hostname =>

Access denied for host: ${hostname}

,

    // Optionally set the error response content type:

    errorResponseContentType: 'text/plain'

  })

)



app.use((req, res) => {

  res.end('Hello, world!')

})



app.listen(3000, () => {

  console.log('Server running on http://localhost:3000')

})





If the host header is not in the allowed hosts list, a 403 Forbidden response is sent.



$3



You can also use the core host validation logic directly:

ts

import { isHostAllowed } from 'host-validation-middleware'



const allowedHosts = Object.freeze(['example.com', '.mydomain.com'])



console.log(isHostAllowed('example.com', allowedHosts)) // true

console.log(isHostAllowed('sub.mydomain.com', allowedHosts)) // true

console.log(isHostAllowed('evil.com', allowedHosts)) // false





This function will cache the result if the

allowedHosts

 array is frozen.



Allowed Hosts



The host names listed in the

allowedHosts

 options will be allowed.

If the host name starts with a dot, the domain without the dot and any subdomain of it will be allowed.



- Example: With

allowedHosts: ['example.com', '.mydomain.com']

:

  - Requests to

example.com

 are allowed.

  - Requests to

mydomain.com, foo.mydomain.com, bar.foo.mydomain.com

 are also allowed.



Also the following hosts that cannot be used for DNS rebinding attacks are always allowed:



- Any

localhost or subdomain of localhost (e.g., localhost, foo.localhost

)

- Any IPv4 or IPv6 address (e.g.,

127.0.0.1, [::1]

)

- Any host using the

file:

 or browser extension protocol



Credits



The API interface and the original implementation is based on

webpack-dev-server's allowedHosts` option.