I’m doing the following to redirect non-https traffic to https:
redirect scheme https code 301 if !{ ssl_fc }
Which works great, however if a user injects a Host header they are redirected to that URI rather than the target.
E.g.
Request: http://example.com
Host Header: maliciousexample.com
Expected:
Redirect to https://example.com
Actual:
Redirect to https://maliciousexample.com
Is it possible to replace the Host header with the target URI or failing that, check that the Host header is a domain I have configured?
4 posts - 2 participants