From 9a18dbc0aba1d761028874859b5e0b50f217bae1 Mon Sep 17 00:00:00 2001
From: Tom Iles <tom.iles@digital.cabinet-office.gov.uk>
Date: Thu, 4 Apr 2024 11:52:07 +0100
Subject: [PATCH] WIP: Add healthcheck ip ranges

---
 config/environments/production.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/environments/production.rb b/config/environments/production.rb
index 96389b9fe..7c5b95e71 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -82,7 +82,11 @@
   config.active_record.dump_schema_after_migration = false
 
   # Enable DNS rebinding protection and other `Host` header attacks.
-  config.hosts << /.*\.forms\.service\.gov\.uk/
+  config.hosts [
+    /.*\.forms\.service\.gov\.uk/,
+    IPAddr.new('10.10.0.0/16') # for healthchecks in ECS
+  ]
+
   # Skip DNS rebinding protection for the default health check endpoint.
   # config.host_authorization = { exclude: ->(request) { request.path == "/up" } }
 end