validating the Host HTTP header. This means passing a restrictive hostname pattern to either a HostMatches router or the first argument of Application.add_handlers: # BAD: uses a default host pattern of r' default_host argument to Application and the DefaultHostMatches router must not be used in applications that may be vulnerable to DNS rebinding, because it has a similar effect to a wildcard host pattern } location / { proxy_pass_header Server; proxy_set_header Host $http_host; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr;

validating the Host HTTP header. This means passing a restrictive hostname pattern to either a HostMatches router or the first argument of Application.add_handlers: # BAD: uses a default host pattern of r' default_host argument to Application and the DefaultHostMatches router must not be used in applications that may be vulnerable to DNS rebinding, because it has a similar effect to a wildcard host pattern } location / { proxy_pass_header Server; proxy_set_header Host $http_host; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr;

validating the Host HTTP header. This means passing a restrictive hostname pattern to either a HostMatches router or the first argument of Application.add_handlers: # BAD: uses a default host pattern of r' default_host argument to Application and the DefaultHostMatches router must not be used in applications that may be vulnerable to DNS rebinding, because it has a similar effect to a wildcard host pattern (continued from previous page) } location / { proxy_pass_header Server; proxy_set_header Host $http_host; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme;

validating the Host HTTP header. This means passing a restrictive hostname pattern to either a HostMatches router or the first argument of Application.add_handlers: # BAD: uses a default host pattern of r' default_host argument to Application and the DefaultHostMatches router must not be used in applications that may be vulnerable to DNS rebinding, because it has a similar effect to a wildcard host pattern rewrite (.*) /static/robots.txt; } location / { proxy_pass_header Server; proxy_set_header Host $http_host; proxy_redirect off; (continues on next page) 36 Chapter 6. Documentation Tornado Documentation

validating the Host HTTP header. This means passing a restrictive hostname pattern to either a HostMatches router or the first argument of Application.add_handlers: # BAD: uses a default host pattern of r' default_host argument to Application and the DefaultHostMatches router must not be used in applications that may be vulnerable to DNS rebinding, because it has a similar effect to a wildcard host pattern rewrite (.*) /static/robots.txt; } location / { proxy_pass_header Server; proxy_set_header Host $http_host; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme;

validating the Host HTTP header. This means passing a restrictive hostname pattern to either a HostMatches router or the first argument of Application.add_handlers: # BAD: uses a default host pattern of r' default_host argument to Application and the DefaultHostMatches router must not be used in applications that may be vulnerable to DNS rebinding, because it has a similar effect to a wildcard host pattern rewrite (.*) /static/robots.txt; } location / { proxy_pass_header Server; proxy_set_header Host $http_host; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme;

validating the Host HTTP header. This means passing a restrictive hostname pattern to either a HostMatches router or the first argument of Application.add_handlers: # BAD: uses a default host pattern of r' default_host argument to Application and the DefaultHostMatches router must not be used in applications that may be vulnerable to DNS rebinding, because it has a similar effect to a wildcard host pattern rewrite (.*) /static/robots.txt; } location / { proxy_pass_header Server; proxy_set_header Host $http_host; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme;

validating the Host HTTP header. This means passing a restrictive hostname pattern to either a HostMatches router or the first argument of Application.add_handlers: # BAD: uses a default host pattern of r' default_host argument to Application and the DefaultHostMatches router must not be used in applications that may be vulnerable to DNS rebinding, because it has a similar effect to a wildcard host pattern rewrite (.*) /static/robots.txt; } location / { proxy_pass_header Server; proxy_set_header Host $http_host; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme;

validating the Host HTTP header. This means passing a restrictive hostname pattern to either a HostMatches router or the first argument of Application.add_handlers: # BAD: uses a default host pattern of r' default_host argument to Application and the DefaultHostMatches router must not be used in applications that may be vulnerable to DNS rebinding, because it has a similar effect to a wildcard host pattern rewrite (.*) /static/robots.txt; } location / { proxy_pass_header Server; proxy_set_header Host $http_host; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme;

validating the Host HTTP header. This means passing a restrictive hostname pattern to either a HostMatches router or the first argument of Application.add_handlers: # BAD: uses a default host pattern of r' default_host argument to Application and the DefaultHostMatches router must not be used in applications that may be vulnerable to DNS rebinding, because it has a similar effect to a wildcard host pattern rewrite (.*) /static/robots.txt; } location / { proxy_pass_header Server; proxy_set_header Host $http_host; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Scheme $scheme;