PHP Class yii\filters\HostControl

This filter provides protection against 'host header' attacks, allowing action execution only for specified host names. Application configuration example: php return [ 'as hostControl' => [ 'class' => 'yii\filters\HostControl', 'allowedHosts' => [ 'example.com', '*.example.com', ], ], ... ]; Controller configuration example: php use yii\web\Controller; use yii\filters\HostControl; class SiteController extends Controller { public function behaviors() { return [ 'hostControl' => [ 'class' => HostControl::className(), 'allowedHosts' => [ 'example.com', '*.example.com', ], ], ]; } ... } > Note: the best way to restrict allowed host names is usage of the web server 'virtual hosts' configuration. This filter should be used only if this configuration is not available or compromised.

Since: 2.0.11

Author: Paul Klimov ([email protected])

Inheritance: extends yii\base\ActionFilter

Show file Open project: yiisoft/yii2

Public Properties

Property	Type	Description
$allowedHosts		list of host names, which are allowed. Each host can be specified as a wildcard pattern. For example: php [ 'example.com', '*.example.com', ] This field can be specified as a PHP callback of following signature: php function (\yii\base\Action $action) { return array of strings } where $action is the current [[\yii\base\Action\|action]] object. If this field is not set - no host name check will be performed.
$denyCallback		a callback that will be called if the current host does not match [[allowedHosts]]. If not set, HostControl::denyAccess will be called. The signature of the callback should be as follows: php function (\yii\base\Action $action) where $action is the current [[\yii\base\Action\|action]] object. > Note: while implementing your own host deny processing, make sure you avoid usage of the current requested host name, creation of absolute URL links, caching page parts and so on.

Public Methods

Method	Description
beforeAction ( $action )

Protected Methods

Method	Description
denyAccess ( Action $action )	Denies the access.

Method Details

beforeAction() public method

public beforeAction ( $action )

denyAccess() protected method

The default implementation will display 404 page right away, terminating the program execution. You may override this method, creating your own deny access handler. While doing so, make sure you avoid usage of the current requested host name, creation of absolute URL links, caching page parts and so on.

protected denyAccess ( Action $action )
$action	yii\base\Action	the action to be executed.

Property Details

$allowedHosts public property

list of host names, which are allowed. Each host can be specified as a wildcard pattern. For example: php [ 'example.com', '*.example.com', ] This field can be specified as a PHP callback of following signature: php function (\yii\base\Action $action) { return array of strings } where $action is the current [[\yii\base\Action|action]] object. If this field is not set - no host name check will be performed.

public $allowedHosts

$denyCallback public property

a callback that will be called if the current host does not match [[allowedHosts]]. If not set, HostControl::denyAccess will be called. The signature of the callback should be as follows: php function (\yii\base\Action $action) where $action is the current [[\yii\base\Action|action]] object. > Note: while implementing your own host deny processing, make sure you avoid usage of the current requested host name, creation of absolute URL links, caching page parts and so on.

public $denyCallback