Welcome! Log In Create A New Profile

Advanced

Re: Is $http_host dangerous?

May 27, 2012 05:56PM
Hi Francis,
Thanks for the response.

After reading the documentation, http://wiki.nginx.org/HttpCoreModule#.24host

When the HOST is empty, it's responded with 400 as expected.

I think the argument would come down to whether we trust the value sent by the user.
In both use of $http_host and $host, I think the 3rd curl command is trying to send a custom header whose HOST value is user-defined? I believe that if we compromised the DNS or the network for example, there is a possible way to hijack the nginx servers by modifying the header....

Since $host is a strict version of $http_host, and when it's empty it uses $server_name directive, I believe it's a small bit of extra security layer.... besides gettin rid off the port number in the response?
Subject Author Posted

Is $http_host dangerous?

jwxie May 26, 2012 07:00PM

Re: Is $http_host dangerous?

Francis Daly May 27, 2012 07:24AM

Re: Is $http_host dangerous?

x7311 May 27, 2012 05:56PM

Re: Is $http_host dangerous?

x7311 May 27, 2012 06:16PM

Re: Is $http_host dangerous?

Francis Daly May 27, 2012 07:22PM

Re: Is $http_host dangerous?

Francis Daly May 27, 2012 08:30PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 59
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready