owasp-modsecurity
Add HTTP/3 Host header support for ModSecurity
ModSecurity cannot see the Host header in HTTP/3 requests because HTTP/3 uses the :authority pseudo-header, which nginx parses into r->headers_in.server but doesn't add to the headers list.
This commit:
- Adds
NGX_HTTP_VERSION_30case tohttp_versionswitch - Manually extracts Host from
r->headers_in.serverfor HTTP/3 requests - Adds Host header to ModSecurity transaction before processing other headers
Fixes #305 false positives from OWASP CRS rule 920280 (Missing Host Header) on HTTP/3 connections.
Tested with nginx 1.29.3 and ModSecurity 3.0.13.
Quality Gate passed
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
See analysis details on SonarQube Cloud
![sonarqubecloud[bot] avatar](https://avatars.githubusercontent.com/in/12526?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @AMoo-Miki,
first of all, thank you for your PR.
I am sure that this is a very important step towards being able to handle HTTP/3 requests. But I'm not sure this is the right way.
Please do not misunderstand me, I don't want to reject this PR, but I think we need to discuss how can we handle HTTP/3 headers correctly.
I think adding a header with the name Host so that it is not the host header is not accurate and might be misleading. I mean in case of HTTP/3, the header authority should be added as authority - but I'm not sure that, this is why I think we should discuss that.
Also, please add some tests to this new feature.
