Prevent Arbitary HTTP Host header in nginx

Reinis Rozitis r at
Thu Feb 27 19:51:48 UTC 2020

> Is there a way to prevent Arbitrary HTTP Host header in Nginx? Penetration test has reported accepting arbitrary host headers. Thanks in Advance and I look forward to hearing from you.

You can always define "catch all" server block with:

server {
    listen       80  default_server;
    server_name  _;
    return       444;

(444 is connection close without response)

And then just add valid host names to the other server blocks.


More information about the nginx mailing list