stackoom
  简体   繁体   中英

Are there any alternatives to overriding the 'host' header programatically

 原文  2021-04-14 17:29:34       javascript/ reactjs

Question

I have two services I'm running locally on docker images. One of them is an nginx server with configuration to proxy requests to various other services, and the other is a simple React GraphiQL UI.

The nginx server is not explicitly set up to run on localhost, but when making requests with curl/postman I can explicitly set the host header to be that of the actual url (rather than localhost ) and it will then find the correct config and the request will succeed.

The issue is that I would like to call the server from a local instance of my UI, but it's failing because I can't overwrite the host header. I've tried to manually add it to my react fetch request but when I check the request in the browser the header isn't there. After some searching I then found some slack posts saying it's not possible, although no references to why.

return fetch(
        edgeUrl(environment) + "/some/endpoint",
        {
            method: "POST",
            headers: {
                'Authorization': 'Bearer ' + getApiKey(partner, environment),
                'host': 'actual.host.com',
                'origin': 'http://localhost/'
            },
            body: JSON.stringify({ query })
        }
    )

Is there any other way to override the host used in requests? Possibly another http library I could use? I'd prefer not to have to configure the nginx server for localhost as it is owned by another team.

2 answers

solution1
 0  2021-04-20 09:36:42

You should not try change the host header. The browser won't allow you to, and it's not the right way to do it.

As I see it, you have 2 options:

  1. Configure NGINX to accept requests to localhost, if that is its' actually hostname.

  2. Change the hosts file, to include your domain to point to 127.0.0.1, which is equivalent to adding it to DNS.

The Windows Hosts file is located here: C:\Windows\System32\drivers\etc\hosts .

You should add the following to your hosts file after the comments # .

actual.host.com 127.0.0.1

solution2
 0 ACCPTED  2021-04-20 13:20:21

For anyone interested here's some information on possible attacks using the host header and why it's useful to validate it, which is what this service is doing.

https://portswigger.net/web-security/host-header

https://infosecwriteups.com/identifying-escalating-http-host-header-injection-attacks-7586d0ff2c67

I'm going to ask the other team if I can add localhost configuration to their nginx config so that I can make requests locally, looks like my coworker was misinformed in suggesting I override the host header.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question parentheses alternatives in JS , if any? are there any alternatives for GetElementById? Any alternatives for jquery msgbox Overriding AJAX Header in WebView Any alternatives for a horizontal scrolling footer? Are there any alternatives for using toDataURL in Chrome? Any alternatives to this simple Javascript validation? Is Dojo offline working? Are there any alternatives? Invalid Host header Vue invalid host header
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM