CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Host Header Injection

security CWE-116 OWASP A3:2021 CVSS 7.5 PHP 5.0+ Intermediate

Also Known As

Host header attack HTTP Host injection

TL;DR

A manipulated HTTP Host header is used by the application to generate URLs, enabling cache poisoning, password-reset hijacking, or SSRF.

Explanation

Many PHP applications use $_SERVER['HTTP_HOST'] to construct absolute URLs for password-reset emails, redirect targets, or canonical links. Because the Host header is fully controlled by the client (and can be spoofed or overridden via X-Forwarded-Host in proxied environments), an attacker can inject a malicious host to redirect password-reset links to their own server. Mitigations include maintaining an explicit allowlist of valid hostnames and validating $_SERVER['HTTP_HOST'] against it.

Common Misconception

The Host header can be trusted because it is set by the server. The Host header is sent by the client and is freely forgeable — frameworks using it to build password-reset URLs can be tricked into sending links to attacker-controlled domains.

Why It Matters

Password reset emails and absolute URL generation that rely on the Host header can be poisoned to redirect victims to attacker-controlled domains.

Common Mistakes

  • Using $_SERVER['HTTP_HOST'] to build password reset or email verification links without validation.
  • Trusting X-Forwarded-Host from reverse proxies without a strict allowlist.
  • Generating absolute URLs in cached responses using the Host header — poisons the cache for other users.
  • Not configuring a trusted_hosts or allowed_hosts list in the application or framework.

Code Examples

✗ Vulnerable 
$resetLink = 'https://' . $_SERVER['HTTP_HOST'] . '/reset?token=' . $token;
✓ Fixed 
$resetLink = 'https://www.example.com/reset?token=' . $token; // hardcode trusted origin
Added 15 Mar 2026
Edited 22 Mar 2026
Views 25

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 2 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 6 Google 2 Ahrefs 2 ChatGPT 2 Majestic 1
Also referenced
Cache Poisoning 24 Server-Side Request Forgery (SSRF) 24 Open Redirect 17
How they use it
crawler 19 crawler_json 2
Related categories
security 4k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Maintain an allowlist of valid hostnames and validate $_SERVER['HTTP_HOST'] against it — never use HTTP_HOST in password reset emails or redirects without validation
📦 Applies To
PHP 5.0+ web api
🔗 Prerequisites
🔍 Detection Hints
'https://' . $_SERVER['HTTP_HOST'] in password reset URLs; redirect using HTTP_HOST without allowlist validation
Auto-detectable: ✓ Yes semgrep owasp-zap
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: Function Tests: Update
CWE-20 CWE-284
✓ schema.org compliant