http-server icon indicating copy to clipboard operation
http-server copied to clipboard

Published 20 hours ago verified publisher icon http-party

Host header check

Open plynchnlm opened this issue 3 years ago • 3 comments

What's the problem this feature will solve?

Defend against DNS rebinding attacks (https://en.wikipedia.org/wiki/DNS_rebinding).

Describe the solution you'd like

Add a new option for specifying the permitted value of the Host HTTP header (i.e. the hostname of the server to which the request is sent).

A key part of the DNS rebinding attack is that the user's browser will be sending a request to an internal server with an invalid Host header for that server, i.e., the Host header's value is not a real DNS name for the IP address on which the server is running. If the server checks the Host header against the value provided in the new option, the attack fails. For an example of a server that does this, see https://angular.io/cli/serve and its "--host" option.

Alternative Solutions

I don't see any other solution other than to use a different package.

Additional context

Note that DNS rebinding is an issue even when running the server on a development machine behind a firewall. Any one who has access to the develop machine server who also browses to a malicious website can open up access to that development server.

plynchnlm avatar Oct 25 '21 21:10 plynchnlm

Just to clarify, does this match with ng serve's --host or --allowed-hosts option?

Does this have any effect on servers which are running without a hostname?

thornjad avatar Oct 26 '21 14:10 thornjad

I corresponds to ng serve's --host parameter. If a server did not have a hostname, then you would not be able to use --host to specify it.

plynchnlm avatar Nov 01 '21 20:11 plynchnlm

This issue has been inactive for 180 days

github-actions[bot] avatar May 01 '22 12:05 github-actions[bot]