Հայոց Русский

Extra Block Types (EBT) - New Layout Builder experience❗

Extra Block Types (EBT) - styled, customizable block types: Slideshows, Tabs, Cards, Accordions and many others. Built-in settings for background, DOM Box, javascript plugins. Experience the future of layout building today.

Demo EBT modules Download EBT modules

❗Extra Paragraph Types (EPT) - New Paragraphs experience

Extra Paragraph Types (EPT) - analogical paragraph based set of modules.

Demo EPT modules Download EPT modules

Scroll
  1. Home
  2. Drupal Documentation
  3. Installing Drupal 8

Trusted Host Settings

15/04/2025, by Ivan

This documentation is incomplete. Contribute more information.

Protection Against HTTP HOST Header Attacks (Don't Let Your Site Think It's Someone Else)

Drupal 7 introduced a core feature not directly exposed to users but often referred to as poormanscron. This triggers periodic Drupal site tasks like log cleaning, email dispatch, and cache clearing. Combined with dynamic base URL detection (added in Drupal 4.7), this can cause problematic behavior. This article outlines those scenarios and what can be done to mitigate them.

Scenario 1: Sending User Emails with Incorrect Domain

This can be reproduced by pointing a different domain at your site's IP address (e.g. other-site.example.org pointing to www.example.com) and visiting /user/password. The system will use other-site.example.org as the base URL in reset password emails. This leads to confusion, or worse:

  • A malicious actor could intercept password reset links.
  • Users might enter credentials into a spoofed domain, risking phishing attacks.

Scenario 2: Cached Pages Contain the Wrong Domain

If cache entries are created using the wrong domain (via misrouted requests), future users may be served incorrect URLs. Drupal core’s page cache avoids this, but contributed modules might not.

Scenario 3: Email Notifications Containing the Wrong Domain

When poormanscron triggers email dispatch during a request made via the wrong domain, the emails will contain those invalid links—again confusing users.

Solutions to Dynamic Base URL Confusion

Choose one or more of the following approaches:

  1. Set a fixed $base_url in sites/default/settings.php.
  2. Use domain-specific settings.php files like sites/example.com/settings.php.
  3. Configure your webserver to respond to unrecognized domains with an error page.
  4. Redirect all unknown domains to the correct one via server settings.

Trusted Host Security Setting in Drupal 8

As of January 2015, Drupal 8 supports "trusted host patterns" in settings.php using regular expressions:

$settings['trusted_host_patterns'] = [
  '^www\.example\.com$',
];

For local development, include '^localhost$' as needed.

Trusted Host for MAMP 3

$settings['trusted_host_patterns'] = [
  '^drupal8$',
];

Note: MAMP 4.2 supports '^localhost$'.

Trusted Host for Acquia Dev Desktop 2

$settings['trusted_host_patterns'] = [
  '^sitename\.dd$',
];

Trusted Host for XAMPP

$settings['trusted_host_patterns'] = [
  '^localhost$',
  '^192\.168\.00\.52$',
  '^127\.0\.0\.1$',
];

Ensure all domains used in a multisite installation are listed.

Trusted Host for Lando

$settings['trusted_host_patterns'] = [
  '^'.getenv('LANDO_APP_NAME').'\.lndo\.site$',
  '^localhost$',
  '^'.getenv('LANDO_APP_NAME').'\.localtunnel\.me$',
  '^192\.168\.1\.100$',
];

Tip: Lando exposes additional environment variables you can use. Check phpinfo() or use:

$lando_info = json_decode(getenv('LANDO_INFO'), TRUE);
Source URL:
Trusted Host settings
Source authors:
greggles chales jp.stacey dalegrebey sillygwailo no2e meason kbos2hm senzaesclusiva GoZ mlhess gtaylor benjifisher kimlop rahul_sankrit shreyal999 focus13 Nick Hope dcdenison fannytsai z.stolar lolandese ñull ressa

Drupal’s online documentation is © 2000-2020 by the individual contributors and can be used in accordance with the Creative Commons License, Attribution-ShareAlike 2.0. PHP code is distributed under the GNU General Public License.