multisite default.php security hardening

Public

There's a "glitch" if you will in that you can take any domain and remap it in your host file to point to a drupal site and if it doesn't find a match (in a multi-site typically) then it will look for sites/default/settings.php . If you don't have a default site installed (or if one is and the address coming in makes no sense) this can cause issues; either for caches generated at invalid addresses, potentially wrong addresses pointing to the same domain as your real one or (much worse) misconfiguring of the server on your side which exposes default to being installed by anyone :)

To avoid this, you can create a settings.php that does something like the following

</> CopyGet raw version
php
  1. <?php
  2. header('Location: https://the.address.you.want.to.point.them.to');
  3. exit;