Secure against Host header injection

Hello everybody. Penetration testing for our site (hosted on Cloudflare pages - domain DNS on CF as well) revealed potential problem with Host header injection.
I found there is a way how to rewrite Host header with Page rules, but it can only be done for Enterprise plan - which is sadly out of our options. So what else can we do in CF settings to force one specific value to be used for Host no matter what?
Thank you very much for tips in advance, Adam K.

I’m not sure what it is you’re asking - you want to defend against someone sending you a rewritten Host header or you want to know how to change your own without Page Rules?

He is talking about an attack vector that enterprise customers could potentially perform on other customers; however, it’s so unlikely to occur that it isn’t considered an issue.


Fair enough - I guess the best protection would be using your own customer-provided certificate with Authenticated Origin Pulls. Set up authenticated origin pulls · Cloudflare SSL/TLS docs

1 Like

Since Cloudflare is the one performing the request when you override the Host, I guess that maybe it would pass that check.

You could add a secret header between the edge and your backend to double-ensure the request is coming from the account you expect it to.

1 Like

Depends if AOP’s idea of “per zone” or “per hostname” is going off your actual zone/record or just the Host header as well I guess.


The joys of security audits pointing out obscure things that you gotta fix for the tickboxes

1 Like

@KianNH & @jnperamo - thanks for your feedback. I agree this is just for a tickboxes - but no matter, we’ve been assigned that task :expressionless:
I have to admit I don’t understand the outcome of the conversation - so I will ask plain and simple - what do you think is the best way this can be achieved?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.