Host Header Injection

Also known as: X-Forwarded-Host injection, Virtual host abuse

A vulnerability where an application trusts the HTTP Host (or X-Forwarded-Host) header to build URLs, allowing attackers to redirect users or poison caches.

Host header injection occurs when server-side code uses the Host header — or proxy variants like X-Forwarded-Host — to construct absolute URLs (password-reset links, redirects, image src, canonical tags, OAuth callbacks) without validating it against an allow-list. An attacker manipulates the header to point links at a hostile domain, leading to phishing-style password reset poisoning, cache poisoning, SSRF, or routing the response to an attacker-controlled hostname. The flaw is common in reverse-proxy setups and frameworks that have multiple Host inputs. Mitigations: derive URLs from a configured trusted host, validate Host/X-Forwarded-Host against an allow-list, drop unknown forwarded headers at the edge, and use HSTS.

Examples

Triggering a password reset that emails a link to https://attacker.com/reset?token=... because the app uses Host.
Poisoning a CDN cache by sending X-Forwarded-Host to make /index emit attacker URLs.

Host Header Injection

Examples

Related terms

Cache Poisoning

HTTP Response Splitting

Open Redirect

Server-Side Request Forgery (SSRF)

Broken Authentication

Definition

Examples

Related terms

Cache Poisoning

HTTP Response Splitting

Open Redirect

Server-Side Request Forgery (SSRF)

Broken Authentication