Hi, Tomcat Dev team and Users,
I am trying to block the request and give 404 bad requests or 403 when the HOST header does not match the requested server name. My goal is to block whenever there is a mismatch in the host header and URL server name. I would appreciate your help. curl -vvvv -k "https://*10.40.43.26*/login?sessionExpire=true"; -H '*Host: text.com <http://text.com>*' * Using Stream ID: 1 (easy handle 0x7f8316012800) > GET /login?sessionExpire=true HTTP/2 *> Host: text.com <http://text.com>* > User-Agent: curl/8.1.2 > Accept: */* Response: * HTTP/2 200 * < cache-control: no-cache, no-store, must-revalidate < expect-ct: enforce, max-age=30, report-uri=' https://report-uri.com/account/' < pragma: no-cache < expires: Thu, 01 Jan 1970 00:00:00 GMT < set-cookie: JSESSIONID=4D75D564BC3CF7E406A599962DE5C092;Version=1;Path=/versa;Secure;HttpOnly; SameSite=strict < strict-transport-security: max-age=31536000 ; includeSubDomains ; preload < x-xss-protection: 1; mode=block < x-frame-options: DENY < x-content-type-options: nosniff < referrer-policy: strict-origin-when-cross-origin < content-type: text/html;charset=UTF-8 < content-length: 4084 < date: Sat, 19 Aug 2023 19:02:11 GMT Here is my connector config: <Connector port="${tomcat.port}" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" scheme="https" secure="true" server="Versa Director" address="${tomcat.address}" maxPostSize="-1" *allowHostHeaderMismatch="false"* /> <Connector port="${tomcat.secure.port}" protocol="org.apache.coyote.http11.Http11NioProtocol" relaxedPathChars="[\\]^`{|}" relaxedQueryChars="[\\]^`{|}" *allowHostHeaderMismatch="false" * address="${tomcat.address}" minSpareThreads="100" maxThreads="200" SSLEnabled="true" scheme="https" secure="true" maxSwallowSize="-1" maxPostSize="-1"> Thanks, Bhavesh
