Protect against DNS rebinding attacks
mgedmin opened this issue · comments
restview listens on loopback only by default, for security reasons. This is insufficient: see https://en.wikipedia.org/wiki/DNS_rebinding.
The fix is to validate the Host header in HTTP requests. If it's set to localhost
or 127.0.0.1
(or localhost6
? or ::1
? do browsers send ::1
or [::1]
for ipv6?), allow; otherwise deny.
Note that the Host header may also include the port number after a :
.
Note that domain names might have a trailing dot (e.g. localhost.
).
Note that localhost has many IPv4 addresses (127.x.x.x
), although I think nothing will break if I reject them. Then again, the Host header would not be a pure IP address if a DNS rebinding attack took place (and, e.g., the patch for Transmission allows all Host headers that are pure IP addresses).
This filtering should be off if you explicitly ask for a public server via -l *:8080
.