If I make a request to a Firebase hosted app using the url "dev.example.com" and I set the Host header to be "prod.example.com", Firebase delivers the app from "prod.example.com".
Why is this allowed? And how do I configure Firebase to allow only a url domain that matches with the Host header domain.
I didn’t find a way of enforcing the host header to have the same domain as the url.
2
Answers
Firebase allows different Host headers for flexibility, which can be useful for testing different domains. It doesn’t provide built-in features for strict validation if you want to enforce that the Host header must match the specified domain.
You will need to implement additional checks in your application code to verify that the Host header matches the expected domain. Firebase doesn’t directly enforce this requirement it’s something you’d handle within your application’s logic.
It’s not enforceable, nor will it ever be. The point of the Host header is to allow for multiple virtual sites to be hosted at the same server with a single IP address (which is a very limited resource in IPv4). The client uses it to tell the server which site it’s trying to access, regardless of the IP address used to connect or how many virtual sites are hosted at that IP.
See: What is HTTP "Host" header?