Protection from host header vulnerability
Browsers send host headers to specify the URL the client wants to visit. Malicious actors can inject the host header to display their website instead of the target website. For example, they can spoof a password reset form.
All instances of Creatio in the cloud are protected from host header injection attack out-of-the-box. If you use Creatio on-site, set up the protection yourself. You can do it in the following ways:
- Use Microsoft URL rewrite module for IIS. To do this, follow the official Microsoft instructions.
- Use the built-in mechanism in Creatio version 8.1.2 and later. For example, this is useful if you use .NET 6 on Linux. Read more >>>
Use the built-in Creatio mechanism
Make sure to fill out the settings correctly to ensure Creatio operates as intended.
To turn on the built-in host header protection mechanism, fill out the AllowedHostHeaderPattern setting of the web.config file in the WebApp.Loader. You can do it as follows:
<add key="AllowedHostHeaderPattern" value="myhost.domain.com" />
In this case, the value follows the “contains” rule. The setting also supports regular expressions. This lets you set up more flexible options, for example:
<add key="AllowedHostHeaderPattern" value="^myhost\.domain\.(com|it|eu)$" />
If you use IP addresses to contact the website, display both the IP address and DNS name of the website using the the “or” regular expression.
If you use a web farm, set the value as balancer host and IP address in a single regular expression:
<add key="AllowedHostHeaderPattern" value="mybalancerhost.domain.com|192.168.11.12" />