[host_spoofing] Request's Host header forgery

Often, an application located behind Nginx needs a correct Host header for URL generation (redirects, resources, links in emails etc.). Spoofing of this header, may leads to a variety of problems, from phishing to SSRF.

Notice: your application may also use the X-Forwarded-Host request header for this functionality. In this case you have to ensure the header is set correctly;

How can I find it?

Most of the time it's a result of using $http_host variable instead of $host.

And they are quite different:

$host - host in this order of precedence: host name from the request line, or host name from the “Host” request header field, or the server name matching a request;
$http_host - "Host" request header.

Config sample:

location @app {
  proxy_set_header Host $http_host;
  # Other proxy params
  proxy_pass http://backend;
}

What can I do?

Luckily, all is quite obvious:

list all the correct server names in server name directive;
always use $host instead of $http_host.

hostspoofing.md 1.3 KB

Permalink History Raw

[host_spoofing] Request's Host header forgery

How can I find it?

What can I do?

Additional info

hostspoofing.md 1.3 KB Permalink History Raw

[host_spoofing] Request's Host header forgery

How can I find it?

What can I do?

Additional info

hostspoofing.md 1.3 KB

Permalink History Raw