Host Header Injection
What is Host Header Injection?
Host Header InjectionA vulnerability where an application trusts the HTTP Host (or X-Forwarded-Host) header to build URLs, allowing attackers to redirect users or poison caches.
Host header injection occurs when server-side code uses the Host header — or proxy variants like X-Forwarded-Host — to construct absolute URLs (password-reset links, redirects, image src, canonical tags, OAuth callbacks) without validating it against an allow-list. An attacker manipulates the header to point links at a hostile domain, leading to phishing-style password reset poisoning, cache poisoning, SSRF, or routing the response to an attacker-controlled hostname. The flaw is common in reverse-proxy setups and frameworks that have multiple Host inputs. Mitigations: derive URLs from a configured trusted host, validate Host/X-Forwarded-Host against an allow-list, drop unknown forwarded headers at the edge, and use HSTS.
● Examples
- 01
Triggering a password reset that emails a link to https://attacker.com/reset?token=... because the app uses Host.
- 02
Poisoning a CDN cache by sending X-Forwarded-Host to make /index emit attacker URLs.
● Frequently asked questions
What is Host Header Injection?
A vulnerability where an application trusts the HTTP Host (or X-Forwarded-Host) header to build URLs, allowing attackers to redirect users or poison caches. It belongs to the Vulnerabilities category of cybersecurity.
What does Host Header Injection mean?
A vulnerability where an application trusts the HTTP Host (or X-Forwarded-Host) header to build URLs, allowing attackers to redirect users or poison caches.
How do you defend against Host Header Injection?
Defences for Host Header Injection typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Host Header Injection?
Common alternative names include: X-Forwarded-Host injection, Virtual host abuse.