From 632fe52663975ee81f68999e27ca2aca97272454 Mon Sep 17 00:00:00 2001
From: Bruce Bolt <bruce.bolt@digital.cabinet-office.gov.uk>
Date: Tue, 8 Oct 2024 10:23:51 +0100
Subject: [PATCH] Configure hosts for application

Note: the healthcheck endpoints are requested by IP, not domain, so we
need to specifically exclude them from the protection.
---
 config/environments/production.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/environments/production.rb b/config/environments/production.rb
index 910dd344..6da2a283 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -85,10 +85,10 @@
   }
 
   # Enable DNS rebinding protection and other `Host` header attacks.
-  # config.hosts = [
-  #   "example.com",     # Allow requests from example.com
-  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
-  # ]
+  config.hosts = [
+    /content-data\..*gov.uk?/,
+  ]
+
   # Skip DNS rebinding protection for the default health check endpoint.
-  # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
+  config.host_authorization = { exclude: ->(request) { request.path.match?("^\/healthcheck") } }
 end