/Drupal 8

protected static function DrupalKernel::setupTrustedHosts

protected static DrupalKernel::setupTrustedHosts(Request $request, $host_patterns)

Sets up the lists of trusted HTTP Host headers.

Since the HTTP Host header can be set by the user making the request, it is possible to create an attack vectors against a site by overriding this. Symfony provides a mechanism for creating a list of trusted Host values.

Host patterns (as regular expressions) can be configured through settings.php for multisite installations, sites using ServerAlias without canonical redirection, or configurations where the site responds to default requests. For example,

$settings['trusted_host_patterns'] = array(


\Symfony\Component\HttpFoundation\Request $request: The request object.

array $host_patterns: The array of trusted host patterns.

Return value

bool TRUE if the Host header is trusted, FALSE otherwise.

See also




core/lib/Drupal/Core/DrupalKernel.php, line 1442


The DrupalKernel class is the core of Drupal itself.




protected static function setupTrustedHosts(Request $request, $host_patterns) {

  // Get the host, which will validate the current request.
  try {
    $host = $request->getHost();

    // Fake requests created through Request::create() without passing in the
    // server variables from the main request have a default host of
    // 'localhost'. If 'localhost' does not match any of the trusted host
    // patterns these fake requests would fail the host verification. Instead,
    // TrustedHostsRequestFactory makes sure to pass in the server variables
    // from the main request.
    $request_factory = new TrustedHostsRequestFactory($host);
    Request::setFactory([$request_factory, 'createRequest']);

  catch (\UnexpectedValueException $e) {
    return FALSE;

  return TRUE;

© 2001–2016 by the original authors
Licensed under the GNU General Public License, version 2 and later.
Drupal is a registered trademark of Dries Buytaert.