§Allowed hosts filter
Play provides a filter that lets you configure which hosts can access your application. This is useful to prevent cache poisoning attacks. For a detailed description of how this attack works, see this blog post. The filter introduces a whitelist of allowed hosts and sends a 400 (Bad Request) response to all requests with a host that do not match the whitelist.
This is an important filter to use even in development, because DNS rebinding attacks can be used against a developer’s instance of Play: see Rails Webconsole DNS Rebinding for an example of how short lived DNS rebinding can attack a server running on localhost.
Note that if you are running a functional test against a Play application which has the AllowedHostsFilter, then
Helpers.fakeRequest() will create a request which already has
HOST set to
§Enabling the allowed hosts filter
Note: As of Play 2.6.x, the Allowed Hosts filter is included in Play’s list of default filters that are applied automatically to projects. See the Filters page for more information.
To enable the filter manually, add the allowed hosts filter to your filters in
play.filters.enabled += play.filters.hosts.AllowedHostsFilter
§Configuring allowed hosts
You can configure which hosts the filter allows using
application.conf. See the Play filters
reference.conf to see the defaults.
play.filters.hosts.allowed is a list of strings of the form
example.com. With a leading dot, the pattern will match example.com and all subdomains (
foo.bar.example.com, etc.). Without the leading dot it will just match the exact domain. If your application runs on a specific port, you can also include a port number, for instance
You can use the
. pattern to match all hosts (not recommended in production). Note that the filter also strips the dot character from the end of the host, so the
example.com pattern will match
An example configuration follows.
# Allow requests to example.com, its subdomains, and localhost:9000.
allowed = [".example.com", "localhost:9000"]
Because the AllowedHostsFilter filter is added automatically, functional tests need to have the Host HTTP header added.
If you are using
Helpers.fakeRequest, then the
Host HTTP header is added for you automatically. If you are using
play.mvc.Http.RequestBuilder, then you may need to add your own line to add the header manually:
Http.RequestBuilder request = new Http.RequestBuilder()
Next: Configuring HTTPS redirect