Yevgeny Simkin asked:
I’m trying to understand what level of confidence I can have when my API which lives at
api.foo.com receives a POST request from a page that has
foo.com specified as its host value in the header.
Specifically – is this something that can be faked (maybe even is somehow easy to fake?) or is it difficult (impossible?) for someone to send something to
api.foo.com from some entirely alternate location and spoof in the header that the host is
If it’s not difficult or impossible then what’s the industry standard mechanism for verifying that the request is coming from a trusted place?
The Host: request header (RFC 7230 § 5.4) is untrusted user input. It is supplied by the user agent to indicate the (virtual) host that the HTTP request pertains to. Any malicious user agent can connect to your server and make a request with an invalid Host: header.
You are meant to validate that the content of the Host: header corresponds to your actual hostname before processing the request. Normally the web server (nginx, Apache, etc.) takes care of this for you and then passes the request to your app. But if you expose the app directly to the Internet, not behind a regular web server, then you must validate it yourself.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.