- To mitigate host header poisoning/attack kindly make sure.
- Use the hostname instead of IP address in the header.
- Can refuse a request if it doesn't have the desired or expected host header.
- For this, Add initial RewriteCond/RewriteRule pair to confirm the HOST requested is ABCDEF.com and error if not.
- To restrict add below lines between <VirtualHost :443> OR <VirtualHost :80>
File Name : httpd-ssl.conf OR ssl.conf
*************************************************************
LoadModule rewrite_module modules/mod_rewrite.so
<VirtualHost :443>
ServerName ABCDEF
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.abcdef.com [NC]
RewriteCond %{HTTP_HOST} !^(www.abcdef.com|abcdef.com)$ [NC]
RewriteCond %{REQUEST_URI} !^/error [NC]
RewriteRule ^.(.*) - [L,F]
</VirtualHost>
*************************************************************
## Restrict the Use of IP address in URL to access application.
File Name : httpd-ssl.conf OR ssl.conf
*************************************************************
<VirtualHost :443>
ServerName ABCDEF.com
ServerAlias www.ABCDEF.com
#UseCanonicalName will use the hostname and port specified in the ServerName or ServerAlias
UseCanonicalName On
# Restrict the Use of IP adderss in URL
SetEnvIf Host "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" HostHeaderIsIP=1
RewriteEngine on
RewriteCond %{ENV:HostHeaderIsIP} 1
RewriteRule .* - [F]
</VirtualHost>
*************************************************************
Thanks 😊
No comments:
Post a Comment