{ "slug": "host_header_injection", "term": "Host Header Injection", "category": "security", "difficulty": "intermediate", "short": "A manipulated HTTP Host header is used by the application to generate URLs, enabling cache poisoning, password-reset hijacking, or SSRF.", "long": "Many PHP applications use $_SERVER['HTTP_HOST'] to construct absolute URLs for password-reset emails, redirect targets, or canonical links. Because the Host header is fully controlled by the client (and can be spoofed or overridden via X-Forwarded-Host in proxied environments), an attacker can inject a malicious host to redirect password-reset links to their own server. Mitigations include maintaining an explicit allowlist of valid hostnames and validating $_SERVER['HTTP_HOST'] against it.", "aliases": [ "Host header attack", "HTTP Host injection" ], "tags": [ "injection", "headers", "ssrf", "password-reset" ], "misconception": "The Host header can be trusted because it is set by the server. The Host header is sent by the client and is freely forgeable — frameworks using it to build password-reset URLs can be tricked into sending links to attacker-controlled domains.", "why_it_matters": "Password reset emails and absolute URL generation that rely on the Host header can be poisoned to redirect victims to attacker-controlled domains.", "common_mistakes": [ "Using $_SERVER['HTTP_HOST'] to build password reset or email verification links without validation.", "Trusting X-Forwarded-Host from reverse proxies without a strict allowlist.", "Generating absolute URLs in cached responses using the Host header — poisons the cache for other users.", "Not configuring a trusted_hosts or allowed_hosts list in the application or framework." ], "when_to_use": [], "avoid_when": [], "related": [ "cache_poisoning", "open_redirect", "ssrf" ], "prerequisites": [ "input_validation", "security_headers", "dns_rebinding" ], "refs": [ "https://portswigger.net/web-security/host-header", "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/17-Testing_for_Host_Header_Injection" ], "bad_code": "$resetLink = 'https://' . $_SERVER['HTTP_HOST'] . '/reset?token=' . $token;", "good_code": "$resetLink = 'https://www.example.com/reset?token=' . $token; // hardcode trusted origin", "quick_fix": "Maintain an allowlist of valid hostnames and validate $_SERVER['HTTP_HOST'] against it — never use HTTP_HOST in password reset emails or redirects without validation", "severity": "high", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/host_header_injection", "html_url": "https://codeclaritylab.com/glossary/host_header_injection", "json_url": "https://codeclaritylab.com/glossary/host_header_injection.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Host Header Injection](https://codeclaritylab.com/glossary/host_header_injection) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/host_header_injection" } } } }