Back to Glossary

Glossary Term

Host Header Injection

Trusting user-supplied Host headers enables poisoned URLs, routing, and cache entries.

1 min read

Share this definition

Post it to your feed or send it to teammates.

Host Header Injection

1-minute read

What it is

Host Header Injection occurs when applications trust the Host header supplied by users, allowing attackers to manipulate application logic or downstream integrations.

Why it matters

It can enable password reset poisoning, cache poisoning, and open-redirect attacks by forging absolute URLs or altering how proxies route requests.

How to reduce risk

  • Validate Host headers against a strict allowlist of approved domains
  • Avoid trusting user-controlled headers when generating links, redirects, or emails
  • Terminate TLS and routing at gateways that enforce canonical hostnames

Related Terms: Open Redirect, Web Application Firewall, Phishing

External Resources:

  • OWASP – Host Header Injection: https://owasp.org/www-community/attacks/Host_Header_Injection