alphagov · sarahseewhy · Dec 18, 2025 · Dec 18, 2025
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -1,4 +1,5 @@
 require "active_support/core_ext/integer/time"
+require_relative "../../lib/host_patterns"
 
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
@@ -57,11 +58,8 @@
   config.i18n.fallbacks = true
 
   # Enable DNS rebinding protection and other `Host` header attacks.
-  # config.hosts = [
-  #   "example.com",     # Allow requests from example.com
-  #   /.*\.example\.com/ # Allow requests from subdomains like `www.example.com`
-  # ]
-  #
+  config.hosts = HostPatterns.allowed_host_patterns
+
   # Skip DNS rebinding protection for the default health check endpoint.
   # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
 end
diff --git a/lib/host_patterns.rb b/lib/host_patterns.rb
@@ -0,0 +1,12 @@
+module HostPatterns
+  DEFAULT_HOST_PATTERNS = [
+    /www\.forms\.service\.gov\.uk/,
+    /pr-[^.]*\.www\.review\.forms\.service\.gov\.uk/,
+  ].freeze
+
+  def self.allowed_host_patterns
+    additional_patterns = ENV.fetch("ALLOWED_HOST_PATTERNS", "").split(",").map { |pattern| Regexp.new(pattern.strip) }
+
+    [*DEFAULT_HOST_PATTERNS, *additional_patterns]
+  end
+end