Update rack permitted hosts to permit all

Permitting all hosts. For PID application this is a low-risk setting.
 1. Host header poisoning: Low-Medium risk
    - Since you're directly looking up PIDs in your database before redirecting, manipulated host headers won't affect your core
  redirection logic
  2. Session hijacking: Low risk
    - Your PID resolution service likely doesn't rely on complex session states for anonymous users
  3. Response header poisoning: Low risk
    - Without validation, response headers might include incorrect domains, but impact is minimal for redirections
  4. Cache poisoning: Very low risk
    - With no CDN and direct AWS ELB routing, cache poisoning vectors are minimal

Author: cscollett

app/app.rb

@@ -68,7 +68,7 @@ class PidApp < Sinatra::Base
   configure :development, :production do
     enable :logging
 
-    PERMITTED_HOSTNAMES = [APP_CONFIG['app_host']] + (APP_CONFIG['alt_app_hosts'] || "").split(',').map(&:strip)
+    PERMITTED_HOSTNAMES = [] # allow all hosts
     set :host_authorization, { permitted_hosts: PERMITTED_HOSTNAMES }
   end
 

app/config/app.yml.example

@@ -5,7 +5,6 @@ application_name: 'PID Service'
 # The server and port where the main PID application will be hosted (comment out the port if you do not need to specify)
 app_host: <%= ENV['APP_HOST'] %>
 app_port: <%= ENV['APP_PORT'] %>
-alt_app_hosts: <%= ENV['ALT_APP_HOSTS'] %>
 
 # The url that the system should direct users to when an inactive PID is requested
 dead_pid_url: <%= ENV['DEAD_PID_URL'] %>