The Host header is an HTTP request header that specifies the domain name of the server the client is attempting to reach. It is essential in environments where a single server hosts multiple websites (virtual hosting), as the server uses this header to determine which site should handle the request. Security issues arise when applications trust the Host header value for security-sensitive operations without proper validation.
How It Works
Every HTTP/1.1 request must include a Host header. When a browser navigates to https://example.com/login, it sends a request with Host: example.com. The web server or reverse proxy examines this header to route the request to the correct application. In most cases, this works transparently and securely.
Problems emerge when the application uses the Host header value to generate URLs, links, or redirects. A common vulnerability occurs in password reset flows. The application receives a reset request, generates a token, and constructs a reset link using the Host header value: https://{Host}/reset?token=abc123. An attacker who submits the reset request with a manipulated Host header like Host: attacker.com causes the application to send the victim a reset link pointing to the attacker's domain. When the victim clicks the link, their reset token is sent to the attacker.
Host header injection can also lead to web cache poisoning, where a manipulated Host header causes a reverse proxy to cache a response containing attacker-controlled content. Subsequent users who request the same page receive the poisoned cached response. Server-side request forgery, open redirects, and access control bypasses through virtual host manipulation are additional attack scenarios.
Why It Matters
Host header attacks are prevalent because many developers do not realize the header is user-controlled and therefore untrusted input. Applications should validate the Host header against a whitelist of expected values, never use it directly in URL construction, and configure web servers to reject requests with unexpected Host values.
During security assessments, Host header testing is standard practice because the vulnerability is common, the exploitation is straightforward, and the impact can range from phishing to account takeover.
Need your application tested? Get in touch.