Fetching contributors…
Cannot retrieve contributors at this time
33 lines (25 sloc) 1.26 KB

[host_spoofing] Request's Host header forgery

Often, an application located behind Nginx needs a correct Host header for URL generation (redirects, resources, links in emails etc.). Spoofing of this header, may leads to a variety of problems, from phishing to SSRF.

Notice: your application may also use the X-Forwarded-Host request header for this functionality. In this case you have to ensure the header is set correctly;

How can I find it?

Most of the time it's a result of using $http_host variable instead of $host.

And they are quite different:

  • $host - host in this order of precedence: host name from the request line, or host name from the “Host” request header field, or the server name matching a request;
  • $http_host - "Host" request header.

Config sample:

location @app {
  proxy_set_header Host $http_host;
  # Other proxy params
  proxy_pass http://backend;

What can I do?

Luckily, all is quite obvious:

  • list all the correct server names in server name directive;
  • always use $host instead of $http_host.

Additional info