Since HTTP Host headers can be set by the user making the request, it is possible for malicious users to override them and create an attack vector. To protect against these sort of attacks, since version 1.14.0, Backdrop supports whitelisting a list of trusted hosts. This mechanism can be configured through settings.php.

$settings['trusted_host_patterns']

$settings['trusted_host_patterns'] should be an array of regular expression patterns, without delimiters, representing the hosts you would like to allow.

Examples

A site is run off of a single, canonical domain

The following example will allow the site to only run from www.example.com:

$settings['trusted_host_patterns'] = array(
  '^www\.example\.com$',
);

A site is run off of multiple domains, and not doing canonical URL redirection

If you are running a site on multiple domain names, you should specify all of the host patterns that are allowed by your site. For example, this will allow the site to run off of all variants of example.com and example.org, with all subdomains included:

$settings['trusted_host_patterns'] = array(
  '^example\.com$',
  '^.+\.example\.com$',
  '^example\.org',
  '^.+\.example\.org',
);

Opt-out of this feature, and disable the warning

If you do not need this functionality (such as in development environments, or if protection is at another layer), you can suppress the status report warning, by setting this value to FALSE:

$settings['trusted_host_patterns'] = FALSE;
Introduced in branch: 
1.14.x
Introduced in version: 
1.14.0
Impacts: 
Architects, Administrators, Editors
Related Github Issues: 
https://github.com/backdrop/backdrop-issues/issues/2568