Skip to main content

host_validate

Function host_validate 

Source
pub async fn host_validate(req: Request, next: Next) -> Response
Expand description

Middleware: reject requests whose Host header (or HTTP/2 :authority pseudo-header) is not in the configured allowlist.

Source of truth for the allowlist:

  1. axum::Extension<TrustedHosts> if present on the request — the server builder inserts this from TrustedHosts::from_env at startup, and tests can override.
  2. Otherwise, a per-process env-var fallback parsed once from TENSOR_WASM_API_TRUSTED_HOSTS.

Empty allowlist (no entries / env unset) = pass-through.

Host extraction order:

  1. Host: request header.
  2. If absent, req.uri().authority() — the URI carries the HTTP/2 :authority pseudo-header in hyper’s normalised request form.
  3. If both absent and the allowlist is non-empty, respond 400.

Closes api S-30. T19 perf re-order: layered OUTSIDE the trace layer (and the CORS layer) so hostile Host probes are rejected before any trace span is allocated or any traceparent propagator hop runs. Still layered BEFORE bearer_auth so an attacker probing for valid hosts cannot also probe for valid tokens. The probe router inherits this gate too; operators with split-Host probes can simply omit the env var. Rejected requests do NOT get a trace span and are NOT counted by the HTTP metrics layer (which sits inside the trace layer) — an intentional tradeoff so a hostile Host probe storm cannot burn either trace budget or metric cardinality. See the comment block in build_router_full.