HAProxy community

HOST header injection


I have HA-Proxy version 1.8.19 running.

curl -I -H "Host:www.bing.com" http://www.mydomain.net
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://www.bing.com/

Could someone advise on how to avoid such HOST header injection ?


What header injection? You are making a normal HTTP request and specifying a specific Host header.

Hello Lukas

Please refer:

curl -I -H "Host:www.bing.com" http://www.mydomain.net/landingpage

This gets Location: https://www.bing.com/landingpage

Is there a possible to keep validate HOST HEADER Injection is haproxy or any other config suggestions that can avoid ?

Many Thanks!

Validate against what? A static list of yours? Sure, just use normal ACLs.

Do you mean - If Host !mydomain.net - then deny ?

Could you please post here snippet of ACL’s and validation…


Hello Lukas,

Tried this and it works. Do you foresee any other type of web-request’s issues with this config ?

http-request deny if !{ req.hdr(host) -i -m end mydomain.net }

Appreciate your help!


You probably want to prefix a dot at the domain, otherwise this would also other domains ending with that, like thatsmydomain.net for example.

But what makes sense in your situation really depends on what issue you are trying to solve, which is unclear to me at this point.