← Lessons

quiz vs the machine

Gold1320

Security

Host Header Injection

Why trusting the request Host header lets attackers redirect links and resets.

4 min read · core · beat Gold to climb

The Problem

The Host header is supplied by the client and tells the server which site is requested. Code that trusts it to build absolute URLs, links, or password reset emails can be tricked into pointing victims at an attacker controlled domain.

Common Abuses

  • Poisoned password reset links that send the reset token to the attacker's host.
  • Cache poisoning when the reflected host is cached.
  • Routing tricks that reach internal virtual hosts.

Defenses

  • Validate the incoming host against an allowlist of known domains.
  • Build absolute URLs from a server configured canonical hostname, never the raw header.
  • Reject or normalize requests whose host does not match expected values.

Key idea

The Host header is attacker controlled, so validate it against an allowlist and build URLs from a fixed canonical hostname rather than the raw value.

Check yourself

Answer to earn rating on the learn ladder.

1. Why is the Host header dangerous to trust?

2. What is a sound defense?