Don't raise requirements error when no trusted_host_patterns and behind trusted reverse proxy

Created on 24 August 2020, almost 5 years ago
Updated 30 July 2025, 6 days ago

Problem/Motivation

Setting trusted_host_patterns makes a lot of sense when you are "directly" exposed to the Internet, however many sites today are behind trusted reverse proxies of one type or another. When these proxies forward through only "known" hosts to the proper origin (in this case, where Drupal is running) there is nothing unsafe about replying to "any" host pattern because the upstream configuration ensures only intended traffic will reach Drupal.

In addition, in my experience developers hard-code local names such as myawesomesite.dockerplus-thing.local or something similar, leading to unnecessary local development cruft being inserted into settings files and adding friction to developer onboarding.

Proposed resolution

I am not proposing removing this feature, but either "demoting" this requirement error to a warning or a "checked" item with a note when other settings indicate we are behind a trusted reverse proxy.

Remaining tasks

Maintainer feedback, code, change record.

Release notes snippet

TBD.

🌱 Plan
Status

Active

Version

11.0 πŸ”₯

Component

request processing system

Created by

πŸ‡ΊπŸ‡ΈUnited States bradjones1 Digital Nomad Life

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡«πŸ‡·France prudloff Lille

    If you are 100% sure you can trust your headers, you can add something like this to remove the error:

    $settings['trusted_host_patterns'] = ['.*'];
    
Production build 0.71.5 2024