Https host header attack

A couple of days ago I got a report from a security scanner that my domains are vulnerable to a Host Header attack.

lets say that is a domain I have registered in cloudlfare.
If I then run

curl -vi --header "Host:"

I get the following response

Date: Tue, 04 Jan 2022 10:28:10 GMT
Content-Length: 0
Connection: keep-alive
x-msedge-ref: Ref A: 49CBCD22861E4A909280D53497F69330 Ref B: LTSEDGE1011 Ref C: 2022-01-04T10:28:10Z
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/\/report\/v3?s=Qnm%2FmOzytD4200hQPbYNCR0e6c8VwIqyu7KCCfcnDwwAgcqVbUQetzg4YvpWqSwS2y2FW52NkBLNGst9ZXPGm0bvu1TRDsnPlzCsMyPY0oq5s9XY%2BBsKyhF4jhrC9fGt1r5uqKyHHA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 6c83c74d9c1872e5-LHR
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400```

So I have 2 questions 

1. I have disabled `Always Use HTTPS` in cloudflare but it still appears to be doing the redirect for some reason. Any idea why? I do have hsts enabled and "full (string)" ssl/tls most enabled. I wonder if one of these is causing the https redirect?

2. But more importantly how can I stop this 301 form happening? 
I also wonder if this is a recent internal change as I have been running these scans for almost a year and it only found this problem 3 days ago. (I have changed nothing in my cloudflare account)


May I ask which tool/scanner have you used?

You’ve disabled this option, but may I ask:

  1. Before moving to Cloudflare, was your Website working over HTTPS connection?
  2. Which SSL option have you got selected under the SSL/TLS tab at Cloudflare dashboard for your domain ( Flexible, Full, Full Strict … )?

I missread it, it’s good you hare Full (Strict) SSL and HSTS, why disabling Always Use HTTPS option then?

Why would you want it to stop redirection? And have issues like possible duplicates with even Google Search, visitors may see different content due to HTTP vs HTTPS version, not to mention non-www vs www too.

Furthermore, 301 redirection is a normal thing I guess.
Like, from any HTTP to HTTPS is recommended to have nowadays.

May I suggest looking into below post:


From the blog:

1 Like

The redirect is actually because someone has set up in Cloudflare, and Cloudflare is just loading the configuration for that zone when it does stuff. You can do the same for something else like

curl -v --header "Host:"
< HTTP/1.1 301 Moved Permanently
< Location:

I suspect this person who added set up a www redirect in Cloudflare. As for why this happens at all, Cloudflare will respond to HTTP and DNS requests for zones before they’ve confirmed ownership so that, as new records propagate, the website still works. This really doesn’t cause any security issues, or at least, Cloudflare thinks that.

As you can see, testing a different non-CF website does not return a redirect and instead throws an error.

curl -v --header "Host:"
< HTTP/1.1 409 Conflict
error code: 1001

So this sounds like a non-issue in your case, and the warning in your security scanner can be safely ignored.


So normally I have the http->https redirect set up but I disabled it when playing around with this to see what was going on.

I have enabled the http->https redirection again but my thought was that if I disabled it the 301 would stop happening. But for some reason the redirect still occurs you do not get the same behaviour with the following command

curl -vi --header "Host:"

So I thought it maybe an issue with the forced redirect.

Thanks for the post but I saw that when looking into this. It does not really appear to give an answer though. The accepted answer just says Cloudflare is big so it cant be a problem. But I am not sure I would ever agree with that statement.

The point is that the Host header determines what website Cloudflare should load the configuration for. There is absolutely zero other information about the original website ( that Cloudflare receives when the host header is changed in the request. Thus, even if there is some issue with Cloudflare, it wouldn’t affect your website since Cloudflare doesn’t know what the original domain was supposed to be and thus won’t touch it.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.