Validate the Host header before responding to requests

This commit is contained in:
Nariman Jelveh 2024-04-27 18:52:01 -07:00
parent 92f6c8003b
commit 053728a03f

View File

@ -283,6 +283,29 @@ class WebServerService extends BaseService {
return next();
});
// Validate host header against allowed domains to prevent host header injection
// https://www.owasp.org/index.php/Host_Header_Injection
app.use((req, res, next)=>{
const allowedDomains = [config.domain.toLowerCase(), config.static_hosting_domain.toLowerCase()];
// Retrieve the Host header and ensure it's in a valid format
const hostHeader = req.headers.host;
if (!hostHeader) {
return res.status(400).send('Missing Host header.');
}
// Parse the Host header to isolate the hostname (strip out port if present)
const hostName = hostHeader.split(':')[0].trim().toLowerCase();
// Check if the hostname matches any of the allowed domains
if (allowedDomains.some(allowedDomain => hostName === allowedDomain)) {
next(); // Proceed if the host is valid
} else {
return res.status(400).send('Invalid Host header.');
}
})
app.use(express.json({limit: '50mb'}));
const cookieParser = require('cookie-parser');