When blocklisting broad IP ranges using the Rails Rack::Attack gem, it can be valuable to have a break-glass HTTP header so that legitimate users in a blocked range can still access the webapp.
The Rack::Attack docs provide most of the information on how to do this, however the syntax in the current example does not match the format of a header injected into the browser using an extension such as SimpleModifyHeaders.
As it turns out, any such headers are uppercased and prefixed with HTTP_. So if in your browser extension you set your header as SuperSecretKey, Rack::Attack would pass it through as HTTP_SUPERSECRETKEY.
The below code snippet illustrates, and also dumps out all headers to the console as a comma delimited list.
class Rack::Attack p "~~~~~~~~ RAAAACK ATTAAAAAAAACK ~~~~~~~~" # whitelist by HTTP header Rack::Attack.safelist("mark any authenticated user as safe") do |request| p "~~ HEADER CHECK ~~" p request.env.sort.compact.reject(&:empty?).join(',') puts request.env.key?("HTTP_SUPERSECRETKEY") puts request.env["HTTP_SUPERSECRETKEY"] request.env["HTTP_SUPERSECRETKEY"] == "Hunter2" end end