Host header attack
Description
Host Header Attack vulnerabilities occur when web applications trust and use the HTTP Host header value without proper validation. Applications commonly use this header to generate absolute URLs, import resources, construct password reset links, and determine routing logic. Since attackers can arbitrarily set the Host header value in their requests, this trust relationship creates a security risk that can be exploited through web cache poisoning, password reset manipulation, and other attack vectors.
Remediation
Implement the following security controls to prevent Host Header attacks:
1. Use SERVER_NAME instead of Host header: Configure your application to use the SERVER_NAME server variable, which reflects the configured virtual host name rather than the client-supplied Host header.
2. Implement Host header validation: Create an allowlist of valid Host header values and reject requests that don't match:
// Example validation (pseudocode)
allowedHosts = ['example.com', 'www.example.com']
if (request.host not in allowedHosts) {
return 400 // Bad Request
}3. Configure a default catch-all virtual host:
Apache: Set UseCanonicalName to On and define a non-wildcard ServerName:
<VirtualHost *:80>
ServerName example.com
UseCanonicalName On
</VirtualHost>Nginx: Define a default server block that catches unrecognized hosts:
server {
listen 80 default_server;
server_name _;
return 444; # Close connection
}4. Avoid using Host header in sensitive operations: Never use the Host header to construct password reset URLs, authentication callbacks, or other security-critical links. Use hardcoded, configuration-based domain values instead.