[Ach] Redirect from HTTP to HTTPS and the big bad Host header - Github Pull #100
sca at andreasschulze.de
Fri Apr 3 12:58:22 CEST 2015
> So using the $host variable should be avoided were possible in my opinion
We currently do not know how to exploit that. But maybe one day ...
If a webserver should redirect (from A) to B, why should I trust any
user really ask for A?
Just send the intended answer ...
No matter of encryption or other stuff. Simply don't use user input
where it's not needed.
Using $host has only one major benefit: it's easier to write/read in
More information about the Ach