Drupal trusted_host_patterns setting not configured
Description
The Drupal installation does not have the trusted_host_patterns setting configured in settings.php. This security setting validates incoming HTTP Host headers against a whitelist of allowed hostnames, preventing Host header manipulation attacks. Without this configuration, the application accepts requests with any Host header value, leaving it vulnerable to various security exploits. Configuring this setting is a critical security best practice for all production Drupal sites.
Remediation
Configure the trusted_host_patterns setting in your Drupal settings.php file to specify allowed hostnames using regular expressions. Follow these steps:
1. Locate your settings.php file (typically in sites/default/settings.php)
2. Add or uncomment the trusted_host_patterns configuration
3. Define regular expression patterns matching your legitimate domain names
4. Test the configuration to ensure legitimate traffic is not blocked
Example configuration for a site running on www.example.com:
$settings['trusted_host_patterns'] = [ '^www\.example\.com$', ];
For multiple domains or subdomains:
$settings['trusted_host_patterns'] = [ '^www\.example\.com$', '^.+\.example\.com$', // All subdomains '^example\.com$', ];
Note: Use proper regex escaping (backslashes before dots) and anchor patterns with ^ and $ to prevent partial matches.