How reliable is the "host" in an incoming HTTPS request?

Yevgeny Simkin asked:

I’m trying to understand what level of confidence I can have when my API which lives at receives a POST request from a page that has specified as its host value in the header.

Specifically – is this something that can be faked (maybe even is somehow easy to fake?) or is it difficult (impossible?) for someone to send something to from some entirely alternate location and spoof in the header that the host is

If it’s not difficult or impossible then what’s the industry standard mechanism for verifying that the request is coming from a trusted place?

My answer:

The Host: request header (RFC 7230 ยง 5.4) is untrusted user input. It is supplied by the user agent to indicate the (virtual) host that the HTTP request pertains to. Any malicious user agent can connect to your server and make a request with an invalid Host: header.

You are meant to validate that the content of the Host: header corresponds to your actual hostname before processing the request. Normally the web server (nginx, Apache, etc.) takes care of this for you and then passes the request to your app. But if you expose the app directly to the Internet, not behind a regular web server, then you must validate it yourself.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.