Implement DNS rebinding protection #31
Description
What Is DNS Rebinding?
DNS rebinding is a web-based attack where a malicious webpage forces a victim’s browser to connect to a private/internal service running on localhost (or inside a private network).
Example attack scenario:
- User visits a malicious webpage.
- The attacker serves a DNS record that initially resolves to evil.com.
- The browser connects normally.
- The attacker changes the DNS response to 127.0.0.1 (or an internal IP).
- The malicious JS running in the browser now sends requests that appear to come from localhost — so it can hit your local Express app.
If your app trusts localhost, the attacker can exploit it via the browser.
🔧 What the Config Means
The commented settings:
enableDnsRebindingProtection: true,
allowedHosts: ['127.0.0.1'],
mean:
enableDnsRebindingProtectionWhen set to true, the server checks the Host header or IP of incoming requests. If the request doesn't come from an approved host, it gets rejected.allowedHostsDefines which hosts or IPs are valid.
If you're only running locally, ['127.0.0.1'] or ['localhost'] makes sense.
In production, you'd set it to your known domain names.
🧠 Why Is It Disabled by Default?
Some existing apps depend on accepting requests from many hostnames.
Enabling this protection changes behavior, and could break setups that rely on proxies, dev tunnels, etc.
So it's left off for backwards compatibility.
✔️ When Should You Enable It?
Environment Recommendation:
- Local development ✔️ YES — protect localhost apps
- Production with known domains ✔️ YES — list your domains in allowedHosts
- Public API accepting many hosts
⚠️ Be careful — may block legitimate use
🏁 Example Configuration
const server = new SomeServerFramework({
enableDnsRebindingProtection: true,
allowedHosts: ['127.0.0.1', 'localhost', 'myapp.example.com']
});
📌 Summary
Turning it on adds security by validating request hostnames.
You should enable it unless you need unrestricted access.