[host_spoofing] Request's Host header forgery¤
Often, an application located behind Nginx needs a correct Host
header for URL generation (redirects, resources, links in emails etc.).
Spoofing of this header, may leads to a variety of problems, from phishing to SSRF.
Notice: your application may also use the
X-Forwarded-Host
request header for this functionality. In this case you have to ensure the header is set correctly;
How can I find it?¤
Most of the time it's a result of using $http_host
variable instead of $host
.
And they are quite different:
* $host
- host in this order of precedence: host name from the request line, or host name from the “Host” request header field, or the server name matching a request;
* $http_host
- "Host" request header.
Config sample:
location @app {
proxy_set_header Host $http_host;
# Other proxy params
proxy_pass http://backend;
}
What can I do?¤
Luckily, all is quite obvious:
* list all the correct server names in server name
directive;
* always use $host
instead of $http_host
.