Hi everyone, I'm seeing some odd behaviour with App Engine Flex and Cloud Endpoints that might be prone to Host Header Injection.
If I send a request to the root domain of my API running on AppEngine Flex with Cloud Endpoints, with a specified HOST header, the content of the specified host is loaded as the content if the redirects are followed. Request: GET / HTTP/1.1 Host: api.my-domain.com HOST: evil.host.com Response: 302 to resolved domain http://evil.host.com/some-evil-url.html As far as I understood from the Endpoints Team, there is no way to configure the ESP to check the headers for the origin host and reject based on an allowed list or pattern. With AppEngine Flex it would be the responsibility of the application to handle this. However if the request is made against the root path, my application does not receive the request to handle it. According to the documentation https://cloud.google.com/endpoints/docs/openapi/openapi-limitations#operations_on_url_root_path_ it is not possible to provide an implementation for the root path. Are there any other ways to prevent this behaviour and protect against Host Header Injection? -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/c9082988-27db-49c7-a131-c39bead0ba4cn%40googlegroups.com.
