how are you doing friend, please how can i creat a domain with host On Wednesday, July 15, 2020 at 8:40:43 PM UTC+1 [email protected] wrote:
> Hi everyone, > I'm seeing some odd behaviour with App Engine Flex and Cloud Endpoints > that might be prone to Host Header Injection. > > If I send a request to the root domain of my API running on AppEngine Flex > with Cloud Endpoints, with a specified HOST header, the content of the > specified host is loaded as the content if the redirects are followed. > > Request: > GET / HTTP/1.1 > Host: api.my-domain.com > HOST: evil.host.com > > Response: > 302 to resolved domain http://evil.host.com/some-evil-url.html > > As far as I understood from the Endpoints Team, there is no way to > configure the ESP to check the headers for the origin host and reject based > on an allowed list or pattern. > With AppEngine Flex it would be the responsibility of the application to > handle this. > However if the request is made against the root path, my application does > not receive the request to handle it. > > According to the documentation > https://cloud.google.com/endpoints/docs/openapi/openapi-limitations#operations_on_url_root_path_ > it is not possible to provide an implementation for the root path. > > Are there any other ways to prevent this behaviour and protect against > Host Header Injection? > > > > > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/35884053-09d3-48c0-b820-d6b4753693adn%40googlegroups.com.
