[Ach] Redirect from HTTP to HTTPS and the big bad Host header - Github Pull #100
A. Schulze
sca at andreasschulze.de
Fri Apr 3 12:58:22 CEST 2015
Christian Mehlmauer:
> So using the $host variable should be avoided were possible in my opinion
+1
We currently do not know how to exploit that. But maybe one day ...
If a webserver should redirect (from A) to B, why should I trust any
user really ask for A?
Just send the intended answer ...
No matter of encryption or other stuff. Simply don't use user input
where it's not needed.
Using $host has only one major benefit: it's easier to write/read in
documentation.
Andreas
More information about the Ach
mailing list