On Tue, Feb 9, 2010 at 7:13 AM, Maciej Stachowiak <[email protected]> wrote: > HTTPbis should address this threat in the security considerations section, > and should strongly consider making it a MUST-level requirement for servers > to check that the Host header is a host they serve. If HTTP had that > requirement and all servers followed it, then the risk of DNS rebinding > attacks would be eliminated.
Servers don't always know what domains they're expected to serve -- if I sudo apt-get install lighttpd and already have a domain name pointing to the server, I expect that domain name to work with no additional configuration. And this is how all the web servers I've used actually work. So, I imagine this requirement is infeasible.
