Get hostname from request in Play Framework. Security issue?

Question

I am using Play 2.2 and I need to send emails containing a link back to my application (for signup purposes). For now the email is triggered by an API (which basically says "I want to request access to this app"). An email is received by the admin who can accept or deny the request, with a once token mechanism for security.

I am using reverse routing and the absoluteURL() method to determine what the url I need to insert in the email is. This can't be hardcoded because the app runs on different environment / domain names so I want this to be dynamic.

However absoluteURL uses the request as an implicit parameter and get the URL from the Host header. It's possible to forge a request with a different "Host" header and send it to my app, which can result in an email having a link like http://evil.com/acceptRequest?token=gfdklhggfd The token being legit since it was actually generated by my application.

Is there a better way to do this without security issues ?

Answer 1

An alternative would be to pass the host-name as part of the configuration - if each environment runs effectively as separate application.

For example in application.conf

hostName=${HOST_NAME}

And then set the environment variable HOST_NAME for the script that runs the play server.

That being said -- what could an attacker achieve with a forged URL? Could an access key or the like be re-used for another host? That is where I would try to make things secure.