Hacker News new | past | comments | ask | show | jobs | submit login

For these localhost-only servers, a simple check on Host is fine. E.g. if you're on, checking that Host is strictly or localhost:3000 is good enough.

Doesnt dns rebinding trick your browser into thinking this is indeed your host?

DNS rebinding involves changing your host's really-low-TTL A record to (or other internal IP), and then on next request the browser will then assume that's what the host is and make call to that new IP assuming same-origin...but it sets the Host header as what the browser thinks represents that IP. If it's not localhost or (for this use case) then we know someone tricked into thinking it was theirs that was our local IP. So check the Host to make sure it isn't someone else's host "re-bound" to your IP.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact