Prevent Arbitary HTTP Host header in nginx
Reinis Rozitis
r at roze.lv
Thu Feb 27 19:51:48 UTC 2020
> Is there a way to prevent Arbitrary HTTP Host header in Nginx? Penetration test has reported accepting arbitrary host headers. Thanks in Advance and I look forward to hearing from you.
You can always define "catch all" server block with:
server {
listen 80 default_server;
server_name _;
return 444;
}
(444 is connection close without response)
And then just add valid host names to the other server blocks.
rr
More information about the nginx
mailing list