Skip to main content

Secure Host header

The Host header in HTTP requests specifies the domain of the resource being requested. If not properly validated, it can be manipulated by attackers, leading to potential security risks. To protect your installation of Bravura Security Fabric , it is crucial to ensure that the Host header is validated correctly. While the product installer does not automatically handle hostnames, you can safeguard the Host header by configuring validation rules.

Recommended Approach

Ideally, Host header validation should be configured on your load balancer to ensure that all incoming traffic is validated before it reaches your Bravura Security Fabric instances. If you are unable to configure this on a load balancer, you can apply the validation directly on each Bravura Security Fabric instance.

Configuring Host header validation on a load balancer

If your load balancer supports URL Rewrite rules or similar features, configure Host header validation at the load balancer level to filter out invalid hostnames. This approach centralizes security and reduces configuration overhead on individual instances.

Configuring Host Header Validation in IIS

If you need to configure Host header validation on each Bravura Security Fabric instance, follow these steps to set up URL Rewrite rules in IIS:

  1. Launch Internet Information Services (IIS) Manager on your server.

  2. Navigate to your site.

    1. In the left panel, expand the server node.

    2. Expand Sites to view the list of sites.

    3. Expand Default Web Site.

    4. Click on the virtual directory where Bravura Security Fabric is installed.

  3. Double click on URL Rewrite in the middle panel.

  4. Add a new rewrite rule.

    1. Click on Add Rule(s)... in the Actions pane on the right.

    2. Select Blank rule and click OK.

  5. Give the rewrite rule a name such as Validate Host header .

  6. In the Match URL section, enter (.*) as the pattern.

  7. Add a condition for Host header validation.

    1. Click Add in the Conditions section.

    2. In the Condition input field, enter {HTTP_HOST} .

    3. From the Check if input string dropdown, select Does Not Match the Pattern.

    4. In the Pattern field, enter *^([a-zA-Z0-9-_]+.)yourdomain.com$ (replace https://yourdomain.com/ with your actual domain).

  8. Set up the action.

    1. In the Action section, choose Redirect as the Action type.

    2. Enter your domain address (e.g., https://yourdomain.com/) in the Redirect URL field.

      Any request with an invalid host will be redirected to the specified domain.

    3. Select Permanent (301) from the Redirect type list.

  9. Click Apply in the Actions pane to save the new rule.

Verification

After configuring Host header validation, verify your setup by testing requests to ensure that only valid Host headers are accepted. This will help prevent unauthorized access and maintain the security of your Bravura Security Fabric installation.

Additional Resources

For further details on Host header vulnerabilities and configuration, refer to Microsoft's documentation on Host Header Vulnerability .

In this section: