HTTP Host Header Injection

Medium Severity Technical Guide

Vulnerability Description

HTTP Host Header Injection happens when the application uses the HTTP Host header to generate absolute links, password reset links, or import scripts without validating it against a whitelist.

Remediation Guide

To resolve this vulnerability, follow these config changes or developer practices:

Configure the web server to validate incoming Host headers and drop requests with unrecognized hosts. Generate absolute links using configured base URLs rather than request headers.

Verify Your Fix

After applying the remediation, run an external attack-surface scan to verify that the vulnerability is no longer detected by WebScanify.

Is your website vulnerable?

Run a free security scan now to identify missing headers, outdated JS, and other deployment vulnerabilities.

HTTP Host Header Injection

Vulnerability Description

Remediation Guide

Verify Your Fix

Share this Guide

Is your website vulnerable?