CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Host Header Injection

Security CWE-116 OWASP A3:2021 CVSS 7.5 PHP 5.0+ Intermediate
debt(d5/e3/b3/t9)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints.tools list includes semgrep and owasp-zap — both specialist tools. Semgrep requires a custom or community rule to flag `$_SERVER['HTTP_HOST']` usage in sensitive contexts; owasp-zap can detect it via active scanning. Neither is a default linter catch, so d5 is the right anchor.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix is to maintain an allowlist of valid hostnames and validate `$_SERVER['HTTP_HOST']` against it — a small, localised change. The common_mistakes point to a pattern (unsanitised HTTP_HOST in password reset URLs, redirects, cached responses) that can be fixed by introducing validation in one or a few places. It doesn't require cross-cutting architectural rework, but it's more than a single one-line swap because the pattern may appear in several places (password reset, email verification, URL generation).

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The applies_to scope is web and API contexts. The fix — an allowlist validation — is localised to URL-generation and redirect logic. It imposes a small persistent check requirement on those paths, but doesn't reshape the entire codebase or create gravitational pull on unrelated components.

t9 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'catastrophic trap' (t9). The misconception field states exactly this trap: developers believe the Host header is set by the server and can be trusted, when in reality it is freely forgeable by the client. This is a deeply counterintuitive inversion — the 'obvious' assumption (server controls Host) is always wrong in HTTP, and the consequence (password-reset link poisoning, cache poisoning) is severe. This matches t9: the obvious way is always wrong.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-08 · reviewed by human

Also Known As

Host header attack HTTP Host injection

TL;DR

A manipulated HTTP Host header is used by the application to generate URLs, enabling cache poisoning, password-reset hijacking, or SSRF.

Explanation

Many PHP applications use $_SERVER['HTTP_HOST'] to construct absolute URLs for password-reset emails, redirect targets, or canonical links. Because the Host header is fully controlled by the client (and can be spoofed or overridden via X-Forwarded-Host in proxied environments), an attacker can inject a malicious host to redirect password-reset links to their own server. Mitigations include maintaining an explicit allowlist of valid hostnames and validating $_SERVER['HTTP_HOST'] against it.

Common Misconception

The Host header can be trusted because it is set by the server. The Host header is sent by the client and is freely forgeable — frameworks using it to build password-reset URLs can be tricked into sending links to attacker-controlled domains.

Why It Matters

Password reset emails and absolute URL generation that rely on the Host header can be poisoned to redirect victims to attacker-controlled domains.

Common Mistakes

  • Using $_SERVER['HTTP_HOST'] to build password reset or email verification links without validation.
  • Trusting X-Forwarded-Host from reverse proxies without a strict allowlist.
  • Generating absolute URLs in cached responses using the Host header — poisons the cache for other users.
  • Not configuring a trusted_hosts or allowed_hosts list in the application or framework.

Code Examples

✗ Vulnerable 
$resetLink = 'https://' . $_SERVER['HTTP_HOST'] . '/reset?token=' . $token;
✓ Fixed 
$resetLink = 'https://www.example.com/reset?token=' . $token; // hardcode trusted origin
Added 15 Mar 2026
Edited 22 Mar 2026
Views 54

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 1 ping S 3 pings S 0 pings M 1 ping T 0 pings W 3 pings T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 1 ping W 0 pings T 0 pings F 1 ping S 0 pings S 2 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 9 Scrapy 8 Perplexity 6 Ahrefs 4 ChatGPT 4 Google 3 Majestic 2 Claude 2 Bing 1 Sogou 1 SEMrush 1 PetalBot 1
Also referenced
Server-Side Request Forgery (SSRF) 65 Cache Poisoning 46 Open Redirect 38
How they use it
crawler 38 crawler_json 4
Related categories
security 7.9k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Low
⚡ Quick Fix
Maintain an allowlist of valid hostnames and validate $_SERVER['HTTP_HOST'] against it — never use HTTP_HOST in password reset emails or redirects without validation
📦 Applies To
PHP 5.0+ web api
🔗 Prerequisites
🔍 Detection Hints
'https://' . $_SERVER['HTTP_HOST'] in password reset URLs; redirect using HTTP_HOST without allowlist validation
Auto-detectable: ✓ Yes semgrep owasp-zap
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: Function Tests: Update
CWE-20 CWE-284
✓ schema.org compliant