mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Merge pull request #9618 from open-sausages/pulls/4/docs-hostname
DOCS HTTP header in server requirements
This commit is contained in:
commit
821ef9559a
@ -112,6 +112,16 @@ For example, Apache allows this through `Header setifempty` (see [docs](https://
|
||||
See [Developer Guide: Performance](/developer_guides/performance/)
|
||||
and [Developer Guides: File Security](/developer_guides/files/file_security) for more details.
|
||||
|
||||
Silverstripe relies on the `Host` header to construct URLs such as "reset password" links,
|
||||
so you'll need to ensure that the systems hosting it only allow valid values for this header.
|
||||
See [Developer Guide: Security - Request hostname forgery](/developer_guides/security/secure_coding#request-hostname-forgery).
|
||||
|
||||
### CDNs and other Reverse Proxies
|
||||
|
||||
If your Silverstripe site is hosted behind multiple HTTP layers,
|
||||
you're in charge of controlling which forwarded headers are considered valid,
|
||||
and which IPs can set them. See [Developer Guide: Security - Request hostname forgery](/developer_guides/security/secure_coding#request-hostname-forgery).
|
||||
|
||||
### Symlinks
|
||||
|
||||
SilverStripe is a modular system, with modules installed and updated
|
||||
|
@ -648,7 +648,7 @@ This is a recommended option to secure any controller which displays
|
||||
or submits sensitive user input, and is enabled by default in all CMS controllers,
|
||||
as well as the login form.
|
||||
|
||||
## Request hostname forgery
|
||||
## Request hostname forgery {#request-hostname-forgery}
|
||||
|
||||
To prevent a forged hostname appearing being used by the application, SilverStripe
|
||||
allows the configure of a whitelist of hosts that are allowed to access the system. By defining
|
||||
|
Loading…
Reference in New Issue
Block a user