URL Redirection Using "Host" Header

Question

Dear All Expert,

How's to filtering the parameter to only accept the URL that is expected by the application by using IIS 10?

Best Regards,

Answer 1

hi sir,

I want to configure from my iis to

• disclose private IP addresses and routing information to unauthorized parties.
• How to Prevent Host Header Attacks?

Answer 2

@Suy Peang

disclose private IP addresses and routing information to unauthorized parties.

You can try this setting:

1. Go to IIS Manager and click on the website
2. Double click on "Configuration Editor"
3. Go to "system.webServer/serverRuntime"
4. Enter the public domain name of the website into "alternateHostName" field
5. Make sure "enabled" parameter is set to "False" and Click "Apply"
6. Reset IIS

How to Prevent Host Header Attacks?

You can use URL Rewrite rules in IIS to find malicious host headers. Perform the steps below:

1. Click on the site in IIS Manager
2. Go to "URL Rewrite" (it should be installed first)
3. Click "Add Rule(s)"
4. Select "Blank rule"
5. For "Match URL" section, enter (.) into the "Pattern"
6. In "Conditions" section, click "Add"
7. Enter {HTTP_HOST} into "Condition input"
8. Select "Does Not Match the Pattern" from "Check if input string" list
9. Enter ^([a-zA-Z0-9-_]+.)*domain.com$ into "Pattern" field (change domain name with yours)
10. For the "Action” section, select “Redirect" from the "Action type" list
11. Enter your domain address (https://domain.com/) in the "Redirect URL"
12. Select "Permanent (301)" from the "Redirect type" list
13. Click "Apply"

More information you can refer to this link: 1031958

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.