How reliable is the "host" in an incoming HTTPS request?

Yevgeny Simkin asked:

I’m trying to understand what level of confidence I can have when my API which lives at api.foo.com receives a POST request from a page that has foo.com specified as its host value in the header.

Specifically – is this something that can be faked (maybe even is somehow easy to fake?) or is it difficult (impossible?) for someone to send something to api.foo.com from some entirely alternate location and spoof in the header that the host is foo.com?

If it’s not difficult or impossible then what’s the industry standard mechanism for verifying that the request is coming from a trusted place?

My answer:


The Host: request header (RFC 7230 ยง 5.4) is untrusted user input. It is supplied by the user agent to indicate the (virtual) host that the HTTP request pertains to. Any malicious user agent can connect to your server and make a request with an invalid Host: header.

You are meant to validate that the content of the Host: header corresponds to your actual hostname before processing the request. Normally the web server (nginx, Apache, etc.) takes care of this for you and then passes the request to your app. But if you expose the app directly to the Internet, not behind a regular web server, then you must validate it yourself.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.