Score:0

How reliable is the "host" in an incoming HTTPS request?

us flag

I'm trying to understand what level of confidence I can have when my API which lives at api.foo.com receives a POST request from a page that has foo.com specified as its host value in the header.

Specifically - is this something that can be faked (maybe even is somehow easy to fake?) or is it difficult (impossible?) for someone to send something to api.foo.com from some entirely alternate location and spoof in the header that the host is foo.com?

If it's not difficult or impossible then what's the industry standard mechanism for verifying that the request is coming from a trusted place?

Score:2
us flag

The Host header is part of the HTTP request that specifies which virtual host on the web server the request is made to.

It has nothing to do with the source of the request. Anyone can make a HTTP / HTTPS request to your web server, and specify google.com in the Host header. Then it is up to your web server to decide what it wants to do with the request.

Browsers typically add HTTP Referer header to requests, which indicates what is the source page that provided the URL for this request. However, Referer field is also untrusted user input, and it can be easily faked.

An example:

User is visitiing http://www.example.com/example website, which has a hyperlink to http://www.example.org. User clicks on the link. User's browser sends the request to IP address of www.example.org, with the following HTTP headers:

Host: www.example.org
Referer: http://www.example.com/example

Recently browsers have started to strip Referer header contents so that it contains only the root URL: http://www.example.com, when making cross-domain requests.

Overall, you cannot trust any HTTP request header to contain exactly the data you expect, since it is untrusted user input.

Score:1
cz flag

The Host: request header (RFC 7230 § 5.4) is untrusted user input. It is supplied by the user agent to indicate the (virtual) host that the HTTP request pertains to. Any malicious user agent can connect to your server and make a request with an invalid Host: header.

You are meant to validate that the content of the Host: header corresponds to your actual hostname before processing the request. Normally the web server (nginx, Apache, etc.) takes care of this for you and then passes the request to your app. But if you expose the app directly to the Internet, not behind a regular web server, then you must validate it yourself.

Yevgeny Simkin avatar
us flag
wait - so - the webserver *can validate that the call is indeed coming from foo.com and not from something that stuck foo.com into the header? Do you know where I can read about how this works and how reliable this is? Or am I misunderstanding you?
Michael Hampton avatar
cz flag
This is one of the most basic functions of the web server. Have you set one up before? See for example https://nginx.org/en/docs/http/request_processing.html
user10489 avatar
nc flag
"can validate that the call is indeed coming from foo.com and not from something that stuck foo.com into the header" I believe the host is not where it is *from* it is where it is *to*... in other words, the remote request is asking for foo.com which should be one of your host aliases (but might not be).
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.