0
0
FastAPIframework~10 mins

Trusted host middleware in FastAPI - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Concept Flow - Trusted host middleware
Request Received
Check Host Header
Is Host in Trusted List?
NoReject Request (400)
Yes
Pass Request to App
Response Sent
The middleware checks the request's Host header against a trusted list. If trusted, it passes the request to the app; otherwise, it rejects it.
Execution Sample
FastAPI
from fastapi import FastAPI
from starlette.middleware.trustedhost import TrustedHostMiddleware

app = FastAPI()
app.add_middleware(TrustedHostMiddleware, allowed_hosts=["example.com", "localhost"])
This code adds TrustedHostMiddleware to allow requests only from example.com and localhost.
Execution Table
StepRequest Host HeaderCheck Host in Allowed ListActionResult
1"example.com"YesPass to appRequest processed
2"localhost"YesPass to appRequest processed
3"malicious.com"NoReject request400 Bad Request response
4""NoReject request400 Bad Request response
💡 Requests with hosts not in allowed_hosts are rejected with 400 Bad Request.
Variable Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4
request_hostNone"example.com""localhost""malicious.com"""
allowed_hosts["example.com", "localhost"]["example.com", "localhost"]["example.com", "localhost"]["example.com", "localhost"]["example.com", "localhost"]
host_allowedFalseTrueTrueFalseFalse
Key Moments - 3 Insights
Why does the middleware reject requests with empty Host headers?
Because the empty string is not in the allowed_hosts list, as shown in execution_table step 4, so the middleware rejects it for safety.
What happens if the Host header matches exactly one of the allowed hosts?
The middleware passes the request to the app, as seen in steps 1 and 2 of the execution_table where 'example.com' and 'localhost' are allowed.
Can the allowed_hosts list contain wildcards or patterns?
No, allowed_hosts must be exact hostnames or IPs; the middleware checks exact matches as shown in the execution_table.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the action taken when the Host header is "malicious.com"?
APass to app
BReject request
CRedirect request
DIgnore Host header
💡 Hint
Check execution_table row 3 under 'Action' column.
At which step does the Host header check result in 'True' for host_allowed?
AStep 4
BStep 3
CStep 1
DNone
💡 Hint
Look at variable_tracker row for 'host_allowed' at 'After Step 1' and 'After Step 2'.
If we add "malicious.com" to allowed_hosts, how would step 3 in the execution table change?
AAction would be 'Pass to app' and Result 'Request processed'
BAction would remain 'Reject request'
CResult would be '500 Internal Server Error'
DNo change
💡 Hint
Consider how allowed_hosts affects 'host_allowed' and action in execution_table step 3.
Concept Snapshot
TrustedHostMiddleware checks the Host header of incoming requests.
It compares the Host to a list of allowed hosts.
If the Host is allowed, the request proceeds.
If not, the middleware rejects with 400 Bad Request.
Use it to protect your app from Host header attacks.
Full Transcript
Trusted host middleware in FastAPI checks the Host header of each incoming request. It compares this Host value to a list of allowed hosts you provide. If the Host matches one in the list, the middleware lets the request continue to your app. If it does not match, the middleware rejects the request with a 400 Bad Request response. This protects your app from requests pretending to come from untrusted hosts. The middleware works by intercepting requests, checking the Host header, and deciding to pass or reject based on your allowed hosts list.