From e759ffbcdc613f32a6723e35e11fea529c6a4b4b Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian@silverstripe.com>
Date: Mon, 25 May 2015 14:28:27 +1200
Subject: [PATCH] Enforce trusted proxy servers

---
 .htaccess | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.htaccess b/.htaccess
index 7a07f4c..0b2cae6 100644
--- a/.htaccess
+++ b/.htaccess
@@ -23,6 +23,13 @@
 ErrorDocument 404 /assets/error-404.html
 ErrorDocument 500 /assets/error-500.html
 
+<IfModule mod_env.c>
+	# Ensure that X-Forwarded-Host is only allowed to determine the request
+	# hostname for servers ips defined by SS_TRUSTED_PROXY_IPS in your _ss_environment.php
+	# Note that in a future release this setting will be always on.
+	#SetEnv BlockUntrustedProxyHeaders true
+</IfModule>
+
 <IfModule mod_rewrite.c>
 
 	# Turn off index.php handling requests to the homepage fixes issue in apache >=2.4