Host Header Attack (also known as Host Header Injection) is a situation in your web server wherein it accepts requests from all IP addresses, even if it has not specified your website’s host. By default, every server should accept requests only for the domains that it supports, and block other requests. But if your server allows requests targeted at any host, then it can be used to manipulate your websites & applications. This is because, in many cases, developers use the Host header value to run scripts, generate links and perform other tasks. In this article, we will learn how to prevent host header attack in NGINX.
NGINX Prevent Host Header Attack
Here are the steps to prevent host header injection.
1. Use SERVER_NAME
The first step is to stop using host header request variable, since it can be changed by attackers via web cache poisoning and abusing application emails such as password reset emails. Use SERVER_NAME variable instead.
2. Create Wildcard Virtual Host
Create a wildcard virtual host that serves requests all domains other than the ones (e.g. www.mysite.com) actually supported by your server. To do this, specify a non-wildcard SERVER_NAME in NGINX, and using a non-wildcard SERVER_NAME & turning on UseCanonicalName directive.
Here is an example of server name directive for example.com
server_name example.com www.example.com
Don’t use server_name followed by underscore (_) to catch all domains.
3. Default settings
NGINX ships with a default virtual host configuration file. It already contains settings to catch all host headers other than the ones specified in server_name variable. So leave it unchanged. In such cases, NGINX will automatically catch all requests that do not contain your website’s host name, and return a ‘403 access forbidden’ response.
That’s it. In this article, we have learnt how to prevent host header attack.