Framework version 1.3, Studio version 1.5.
The app has a security issue “vulnerable to Host Header Injection”.
The security team suggests “avoid using the Host header altogether in server-side code”. I’m not sure what this is about, could you please help?
This question concerns Spring web applications in general.
According to this recommendation, you can define the following bean in your application to eliminate the possibility of Host Header Injection attacks:
@Bean
public WebSecurityCustomizer myWebSecurityCustomizer() {
StrictHttpFirewall firewall = new StrictHttpFirewall();
Set<String> hosts = Set.of("localhost", "myotherhost");
firewall.setAllowedHostnames(hosts::contains);
return web -> web.httpFirewall(firewall);
}