skip to Main Content

I have two services I’m running locally on docker images. One of them is an nginx server with configuration to proxy requests to various other services, and the other is a simple React GraphiQL UI.

The nginx server is not explicitly set up to run on localhost, but when making requests with curl/postman I can explicitly set the host header to be that of the actual url (rather than localhost) and it will then find the correct config and the request will succeed.

The issue is that I would like to call the server from a local instance of my UI, but it’s failing because I can’t overwrite the host header. I’ve tried to manually add it to my react fetch request but when I check the request in the browser the header isn’t there. After some searching I then found some slack posts saying it’s not possible, although no references to why.

return fetch(
        edgeUrl(environment) + "/some/endpoint",
        {
            method: "POST",
            headers: {
                'Authorization': 'Bearer ' + getApiKey(partner, environment),
                'host': 'actual.host.com',
                'origin': 'http://localhost/'
            },
            body: JSON.stringify({ query })
        }
    )

Is there any other way to override the host used in requests? Possibly another http library I could use? I’d prefer not to have to configure the nginx server for localhost as it is owned by another team.

2

Answers


  1. Chosen as BEST ANSWER

    For anyone interested here's some information on possible attacks using the host header and why it's useful to validate it, which is what this service is doing.

    https://portswigger.net/web-security/host-header

    https://infosecwriteups.com/identifying-escalating-http-host-header-injection-attacks-7586d0ff2c67

    I'm going to ask the other team if I can add localhost configuration to their nginx config so that I can make requests locally, looks like my coworker was misinformed in suggesting I override the host header.


  2. You should not try change the host header. The browser won’t allow you to, and it’s not the right way to do it.

    As I see it, you have 2 options:

    1. Configure NGINX to accept requests to localhost, if that is its’ actually hostname.

    2. Change the hosts file, to include your domain to point to 127.0.0.1, which is equivalent to adding it to DNS.

    The Windows Hosts file is located here: C:WindowsSystem32driversetchosts.

    You should add the following to your hosts file after the comments #.

    actual.host.com 127.0.0.1
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search