This repository has been archived by the owner on Jul 12, 2023. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use a wildcard for redirect domains (#2029)
There's a limit of 50 path_matchers on a url map. Fortunately it supports wildcards :). This properly allows any subdomain to redirect to the https version. It doesn't 100% prevent host-header injection, but it does prevent an attacker from redirecting to an arbitrary host; it's only possible to redirect to another host on the same domain (which we control and does not serve user content). This also changes redirects from 301 -> 302. In testing, my browser cached the redirect, which was somewhat annoying. Given that we may change these, 302 feels more appropriate.
- Loading branch information