From 0a6b0661305f20ac1fbd219d43f59193bea90d1d Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 26 Oct 2015 15:31:38 +0200 Subject: Prevent Host header injections --- application/config/config.php | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'application/config') diff --git a/application/config/config.php b/application/config/config.php index 479d591a4..4f8f81406 100644 --- a/application/config/config.php +++ b/application/config/config.php @@ -11,10 +11,16 @@ defined('BASEPATH') OR exit('No direct script access allowed'); | | http://example.com/ | -| If this is not set then CodeIgniter will try guess the protocol, domain -| and path to your installation. However, you should always configure this -| explicitly and never rely on auto-guessing, especially in production -| environments. +| WARNING: You MUST set this value! +| +| If it is not set, then CodeIgniter will try guess the protocol and path +| your installation, but due to security concerns the hostname will be set +| to $_SERVER['SERVER_ADDR'] if available, or localhost otherwise. +| The auto-detection mechanism exists only for convenience during +| development and MUST NOT be used in production! +| +| If you need to allow multiple domains, remember that this file is still +| a PHP script and you can easily do that on your own. | */ $config['base_url'] = ''; -- cgit v1.2.3-24-g4f1b