Shelf Host Validation

Middleware that protects Shelf and DartFrog servers from DNS Rebinding attacks by validating Host and Referer sic headers from incoming requests. If a request doesn't contain a whitelisted Host/Referer header, shelf_host_validation will respond with a 403 Forbidden HTTP error. Inspired by github.com/brannondorsey/host-validation

Installing

dart pub add shelf_enforces_ssl

Usage

Parameters:

  • hosts is a list of allowed hosts, can be a RegExp or a String
  • referer is list of allowed referer, can be a RegExp or a String
  • mode is the ValidationMode, either or both
  • errorResponse is the Response which is returned if the validation fails

As shelf middleware

import 'package:shelf_host_validation/shelf_host_validation.dart';

var handler = const Pipeline()
    .addMiddleware(
      validateHost(
        hosts: ['trusted-host.com'],
        referers: [
          'http://trusted-host.com/login.php',
          RegExp(r'^https:\/\/'),
        ],
      ),
    )
    .addMiddleware(logRequests())
    .addHandler(_echoRequest);

As dart_frog middleware

import 'package:shelf_host_validation/shelf_host_validation.dart';

Handler enforceSSL(Handler handler) {
  return handler.use(
    fromShelfMiddleware(
      validateHost(
        hosts: ['trusted-host.com'],
        referers: [
          'http://trusted-host.com/login.php',
          RegExp(r'^https:\/\/'),
        ],
      ),
    ),
  );
}

Libraries

shelf_host_validation
Support for doing something awesome.