Documentation Level: 
Documentation Status: 
No known problems

As of version 1.14.0, Backdrop core supports "trusted host patterns" (change record), where you can (and should) specify a set of regular expressions that the domains on incoming requests must match. Example configuration in settings.php would read:

$settings['trusted_host_patterns'] = array(

See the change record for more details.

Note that as opposed to the way this security feature worked in Drupal (where it would block the installer from running, or even could potentially lock you out of your own site) it has been implemented in a less-forceful, opt-in way in Backdrop. There is only a warning in the site status report, to notify site admins that they should set this up properly, in order to increase the security of their site.

Trusted host setting for MAMP 3

When working locally using MAMP (3.5.2), '^localhost$' setting throws the error message "The provided host name is not valid for this server" and doesn't load the site. A solution is to add the site name without port number. For example, if the site is "local-backdrop", then your trusted_host_patterns setting should look like:

$settings['trusted_host_patterns'] = array( '^local-backdrop$', );

Note: This problem seems to be limited on MAP 3.x; on MAMP 4.2 '^localhost$' works just fine.

Trusted host setting for Acquia Dev Desktop 2

(tested with Backdrop 1.??? and PHP 7.2.8)

If you are using Acquia Dev Desktop 2, try the following trusted host pattern. Change "sitename" to the name of your site:

$settings['trusted_host_patterns'] = array( '^sitename\.dd$', );

Trusted host setting for XAMPP

(tested with Backdrop 1.??? and PHP 7.1.8)

Try the following trusted host pattern:

$settings['trusted_host_patterns'] = array( '^localhost$', '^192\.168\.00\.52$', '^127\.0\.0\.1$', );

  • '^localhost$': This will allow the site to only run from localhost.
  • '^192\.168\.00\.52$': This will allow the site to only run from system IP (change this to your own IP).
  • '^127\.0\.0\.1$': This will allow the site to only run from instead of localhost.

Note: If you are running a multisite, then specify all of the host patterns that should be allowed.