Add a note about default filters potentially blocking

[wsargent]

With regards to #7154 there isn't an explicit warning that default filters may impact sites that are upgrading.

I'll make the logs more explicit as well, so a security failure results in a log with SECURITY marker.

[gmethvin]

LGTM

[schmitch]

LGTM.

However I'm still not sure if it was the best idea, to actually set a default set of filters, maybe it would've been better to have filters defined as [] and only change all templates.
Well on the other side people who are familiar with play, can actually just set play.http.filters.

[PromanSEW]

I think AllowedHostsFilter must be excluded from DefaultHttpFilters in release. It is not needed in most cases.

[fmeriaux]

I agree with @PromanSEW

[wsargent]

AllowedHostsFilter is there because it protects against DNS rebinding attacks. See https://benmmurphy.github.io/blog/2016/07/11/rails-webconsole-dns-rebinding/ for the attack.

This is actually a real thing, and while Play doesn't execute runnables, there's still a fair bit you can do with DNS rebinding. See for example:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9014
• http://bouk.co/blog/hacking-developers/

So the issue isn't "this isn't needed in most cases" because in general, most security features aren't needed in most cases. It's trivial for users to disable, but now it's something that has to be disabled explicitly, rather than added in.

[wsargent]

@schmitch see https://www.playframework.com/documentation/2.6.x/Migration26#Disabling-Default-Filters for how to disable the filters

[fmeriaux]

Thank you for these interesting articles @wsargent, I understand better.

Would it not be wise to inform the documentation in a few lines of the rather important role of this protection?

I think that knowingly, developers would be less discouraged when problems arise.

[wsargent]

@fmeriaux if you read the documentation on the AllowedHostsFilter page https://playframework.com/documentation/2.6.x/AllowedHostsFilter#Allowed-hosts-filter it says

Play provides a filter that lets you configure which hosts can access your application. This is useful to prevent cache poisoning attacks. For a detailed description of how this attack works, see this blog post. The filter introduces a whitelist of allowed hosts and sends a 400 (Bad Request) response to all requests with a host that do not match the whitelist.
This is an important filter to use even in development, because DNS rebinding attacks can be used against a developer’s instance of Play: see Rails Webconsole DNS Rebinding for an example of how short lived DNS rebinding can attack a server running on localhost.

I think that effectively communicates the role of the filter.