Merge pull request #9618 from open-sausages/pulls/4/docs-hostname

DOCS HTTP header in server requirements
This commit is contained in:
Robbie Averill 2020-07-29 10:44:29 -07:00 committed by GitHub
commit 821ef9559a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 11 additions and 1 deletions

View File

@ -112,6 +112,16 @@ For example, Apache allows this through `Header setifempty` (see [docs](https://
See [Developer Guide: Performance](/developer_guides/performance/) See [Developer Guide: Performance](/developer_guides/performance/)
and [Developer Guides: File Security](/developer_guides/files/file_security) for more details. and [Developer Guides: File Security](/developer_guides/files/file_security) for more details.
Silverstripe relies on the `Host` header to construct URLs such as "reset password" links,
so you'll need to ensure that the systems hosting it only allow valid values for this header.
See [Developer Guide: Security - Request hostname forgery](/developer_guides/security/secure_coding#request-hostname-forgery).
### CDNs and other Reverse Proxies
If your Silverstripe site is hosted behind multiple HTTP layers,
you're in charge of controlling which forwarded headers are considered valid,
and which IPs can set them. See [Developer Guide: Security - Request hostname forgery](/developer_guides/security/secure_coding#request-hostname-forgery).
### Symlinks ### Symlinks
SilverStripe is a modular system, with modules installed and updated SilverStripe is a modular system, with modules installed and updated

View File

@ -648,7 +648,7 @@ This is a recommended option to secure any controller which displays
or submits sensitive user input, and is enabled by default in all CMS controllers, or submits sensitive user input, and is enabled by default in all CMS controllers,
as well as the login form. as well as the login form.
## Request hostname forgery ## Request hostname forgery {#request-hostname-forgery}
To prevent a forged hostname appearing being used by the application, SilverStripe To prevent a forged hostname appearing being used by the application, SilverStripe
allows the configure of a whitelist of hosts that are allowed to access the system. By defining allows the configure of a whitelist of hosts that are allowed to access the system. By defining