From cbd92923312aa37f4d9bb8f1a84f2b428d93c35b Mon Sep 17 00:00:00 2001
From: kaitoozawa <kaitozaw@gmail.com>
Date: Tue, 23 Dec 2025 15:42:47 +1000
Subject: [PATCH] add public host to host authorization list

---
 core/main/router/router.rb | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/core/main/router/router.rb b/core/main/router/router.rb
index 215273171..13bab5d07 100644
--- a/core/main/router/router.rb
+++ b/core/main/router/router.rb
@@ -14,6 +14,19 @@ module BeEF
 
         configure do
           set :show_exceptions, false
+
+          # Configure Rack::Protection::HostAuthorization.
+          # Allow Rack development defaults and dynamically permit the public host
+          # defined by beef.http.public.host to prevent "Host not permitted" errors.
+          permitted = [
+            '.localhost',
+            '.test',
+            IPAddr.new('0.0.0.0/0'),
+            IPAddr.new('::/0')
+          ]
+          public_host = config.get('beef.http.public.host').to_s.strip
+          permitted << public_host unless public_host.empty?
+          set :host_authorization, { permitted_hosts: permitted }
         end
 
         # @note Override default 404 HTTP response