nginx - is using $http_host dangerous?
From my own answer, I had to replace $host
with $http_host
to get my problem resolved...
But is this safe?
It seems like all $http_host
is doing is to expose the whole HOST
from header.
The explanation here is still not clear to me...
Does anyone have any idea why would $http_host
be more dangerous?
EDIT
Actually, this is my 3rd edit... I should reconsider my position on this after reading this: https://stackoverflow.com/questions/1459739/php-serverhttp-host-vs-serverserver-name-am-i-understanding-the-ma
I am not sure how nginx reacts to that, but do you guys think nginx would also inline with Chris's test result that neither is safe?
Under what circumstances, can you think of a way to exploit when using $http_host? Furthermore, why is it important to strip out the port number?
I understand that it is possible to compromise the network, and send in some Host: fake or old ip
and then perform a rebind attack as I read somewhere else?
Solution 1:
$host
is simply $http_host
with some processing (stripping port number and lowercasing) and a default value (of the server_name
), so there's no less "exposure" to the Host
header sent by the client when using $http_host
. There's no danger in this though.
Solution 2:
Checking all header values in application is needed. Though nginx can do some protection to your web-app, you should not rely only on it.
I believe it might be possible to write a webapp that is vulnerable to host header abuse through both $host and $http_host, but it isn't a reason to avoid it's usage in nginx config.