Hacker News new | past | comments | ask | show | jobs | submit login

For these localhost-only servers, a simple check on Host is fine. E.g. if you're on 127.0.0.1:3000, checking that Host is strictly 127.0.0.1:3000 or localhost:3000 is good enough.



Doesnt dns rebinding trick your browser into thinking this is indeed your host?


DNS rebinding involves changing your host's really-low-TTL A record to 127.0.0.1 (or other internal IP), and then on next request the browser will then assume that's what the host is and make call to that new IP assuming same-origin...but it sets the Host header as what the browser thinks represents that IP. If it's not localhost or 127.0.0.1 (for this use case) then we know someone tricked into thinking it was theirs that was our local IP. So check the Host to make sure it isn't someone else's host "re-bound" to your IP.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: