IP 34.86.119.124 on port 80 is prone to host header manipulation. How do I fix this?
When I enter this URL in the browser, it doesn't go to my site/API, it goes to Railway.
I am using Golang btw.
#I did a scan that said I am susceptible to "Redirection via Arbitrary Host Header Manipulation"
waxen needle
keen scaffoldBOT
thorny joltBOT
waxen needle
b9925fd6-91f7-4404-b3d6-d26d91fdb2c3
thick fractal
you can't use an ip address to access your app, please use the provided domains or use a custom domain
waxen needle
you can't use an ip address to access your app, please use the provided domains ...
Do you think this is the reason the scan is failing?
thick fractal
railway uses the host to know what app to proxy the incoming requests to, nothing here is bad or out of the ordinary
waxen needle
railway uses the host to know what app to proxy the incoming requests to, nothin...
Ah I see, I guess it's out of my control then. Thanks!
waxen needle
@thick fractal Wait, so to clarify, there is no way to pervent it from directing to qqq.com?
thick fractal
railway uses the host to know what app to proxy the incoming requests to, nothin...
see this message again please, but if you are bothered by this functionality you could use cloudflare or fastly to set a fixed host
if you're worried about some kind of security vulnerability or attack vector, I genuinely can't see how this would effect your api in any way, if a user wants to specify an incorrect host when making a request well then their request simply won't make it to your app and that's on the user for creating a malformed request
waxen needle
Ah okay, I understand. I just wanted to make sure that we were talking about the same thing the other day. Thanks for the suggestions!