Nginx by default overwrites the $host property to $http_host if the http host header is present. Is there a way to disable this behavior?
I want to prevent host-header injection by disabling this behavior.
Asked
Active
Viewed 370 times
0
amitng
- 31
- 3
-
The value of `$host` is the same as `$server_name` before it is "overwritten" by `$http_host`. You could just use that instead. – Richard Smith May 14 '21 at 08:42
-
Thanks @RichardSmith We are not setting the value for $server_name explicitly, so it will not be possible to use this approach currently. What i am looking for is some nginx variable which preserves the hostname from original request. Not sure if that is actually possible? – amitng May 17 '21 at 03:34