Forum Discussion

Nimbostratus

Dec 08, 2017

Host header vulnerability

This interesting vulnerability was found with a simple redirect irule by injecting a bad actor site as a host header, the F5 will redirect based on the host header and not on the host within the URL ...

iRules

security

Stanislas_Piro2

Cumulonimbus

Dec 11, 2017

when you enter in the address bar the following URL :

https://foobar.com/mypath.php

the HTTP request is:

GET /mypath.php HTTP/1.1
Host: foobar.com
User-Agent: Mozilla .....
...

this is how HTTP works.

you can filter allowed host header values with this code:

when RULE_INIT {
    set static::allowed_hosts [list foobar.com www.foobar.com www.company.com]
}

when HTTP_REQUEST {
    if {[lsearch [string tolower [HTTP::host]] $static::allowed_hosts] != -1}
    HTTP::respond 301 Location "https://[HTTP::host][HTTP::uri]"
}

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Host header vulnerability

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

SSO login for APM Profiles

Need Advice on below issue

Virtual Server Configuration requirements for ISO 8583 traffic (Single persistent TCP session)

threat hunting guide

Webtop which has VNC for macos users

Related Content

(HTTP) Redirection via Arbitrary Host Header

OpenSSH vulnerability

host header in F5

Rewrite Host Header to Server Name

Mitigating Log4j Vulnerability using F5 BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS