When blocklisting broad IP ranges using the Rails Rack::Attack gem, it can be valuable to have a break-glass HTTP header so that legitimate users in a blocked range can still access the webapp.
The Rack::Attack docs provide most of the information on how to do this, however the syntax in the current example does not match the format of a header injected into the browser using an extension such as SimpleModifyHeaders.
As it turns out, any such headers are uppercased and prefixed with HTTP_. So if in your browser extension you set your header as SuperSecretKey, Rack::Attack would pass it through as HTTP_SUPERSECRETKEY.
The below code snippet illustrates, and also dumps out all headers to the console as a comma delimited list.
class Rack::Attack
p "~~~~~~~~ RAAAACK ATTAAAAAAAACK ~~~~~~~~"
# safelist by HTTP header
Rack::Attack.whitelist("mark any authenticated user as safe") do |request|
p "~~ HEADER CHECK ~~"
p request.env.sort.compact.reject(&:empty?).join(',')
puts request.env.key?("HTTP_SUPERSECRETKEY")
puts request.env["HTTP_SUPERSECRETKEY"]
request.env["HTTP_SUPERSECRETKEY"] == "Hunter2"
end
end
turnspike 