diff --git a/server_admin/topics.adoc b/server_admin/topics.adoc index 0895c93878..08fbe67dd8 100644 --- a/server_admin/topics.adoc +++ b/server_admin/topics.adoc @@ -95,6 +95,7 @@ include::topics/events/admin.adoc[] include::topics/export-import.adoc[] include::topics/account.adoc[] include::topics/threat.adoc[] +include::topics/threat/host.adoc[] include::topics/threat/brute-force.adoc[] include::topics/threat/clickjacking.adoc[] include::topics/threat/ssl.adoc[] diff --git a/server_admin/topics/threat/host.adoc b/server_admin/topics/threat/host.adoc new file mode 100644 index 0000000000..e06cdef92c --- /dev/null +++ b/server_admin/topics/threat/host.adoc @@ -0,0 +1,40 @@ + +=== Host + +{project_name} uses the request URL for a number of things. For example, the URL sent in password reset emails. + +By default, the request URL is based on the `Host` header and there is no check to make sure this URL is the valid and +correct URL. + +If you are not using a load balancer or proxy in front of {project_name} that prevents invalid host headers, you must +explicitly configure what URLs should be accepted. + +The following example will only permit requests to `localhost.localdomain` or `localhost`: + +[source,xml,subs="attributes+"] +---- + + + ... + + + + + + +---- + +The changes that have been made from the default config is to add the attribute `default-host="ignore"` and update the +attribute `alias`. `default-host="ignore"` prevents unknown hosts from being handled, while `alias` is used to list the +accepted hosts. + +Here is the equivalent configuration using CLI commands: + +[source,bash] +---- +/subsystem=undertow/server=default-server:write-attribute(name=default-host,value=ignore) +/subsystem=undertow/server=default-server/host=default-host:write-attribute(name=alias,value=[localhost.localdomain, localhost] + +:reload +---- +