In today's Drupal tutorial series I will talk about Trusted host settings, what they are and how to configure them.

In short, Trusted host settings protects against HTTP HOST Header attacks (prevent your site from thinking it is someone else).

Drupal 7 added a new feature into the core that is not user-facing directly but is sometimes called poor man's cron. The feature triggers the periodic tasks of a Drupal site like emptying log files, sending e-mails, and clearing out caches. This feature, when combined with dynamic detection of the "base url" (added in Drupal 4.7), can lead to some screwy situations.

Let's start with the oblivious, first noticed a warning in a Drupal 8 website, saying:

The trusted_host_patterns setting is not configured in settings.php. This can lead to security vulnerabilities. It is highly recommended that you configure this. See Protecting against HTTP HOST Header attacks for more information.

Warning about Trusted Host Settings in Drupal 8

Warning about Trusted Host Settings in Drupal 8

in case you are running a single website, the solution is simple, open settings.php file and add following code:

$settings['trusted_host_patterns'] = [
  '^www\.example\.com$',
];

For more complicated use, please see following article:  Trusted Host settings