Information
Host headers provide the ability to host multiple websites on the same IP address and port. It is recommended that host headers be configured for all sites.
Note: Wildcard host headers are now supported.
Rationale:
Requiring a Host header for all sites may reduce the probability of DNS rebinding attacks successfully compromising or abusing site data or functionality and IP-based scans successfully identifying or interacting with a target application hosted on IIS.
Impact:
If a wildcard DNS entry exists and a wildcard host header is used, it may be serving data to more domains than intended.
Solution
Obtain a listing of all sites by using the following appcmd.exe command:
Enter the following command in AppCmd.exe to configure the host header:
%systemroot%\system32\inetsrv\appcmd.exe set config -section:system.applicationHost/sites /'[name='<website name>'].bindings.[protocol='http',bindingInformation='*:80:<host header>'].bindingInformation:'*:80:<host header>'' /commit:apphost
OR
Enter the following command in PowerShell to configure the host header:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter 'system.applicationHost/sites/site[@name='<website name>']/bindings/binding[@protocol='http' and @bindingInformation='*:80:']' -name 'bindingInformation' -value '*:80:<host header value>'
OR
Perform the following in IIS Manager to configure host headers for the Default Web Site:
Open IIS Manager
In the Connections pane expand the Sites node and select Default Web Site
In the Actions pane click Bindings
In the Site Bindings dialog box, select the binding for which host headers are going to be configured, Port 80 in this example
Click Edit
Under host name, enter the sites FQDN, such as <www.examplesite.com>
Click OK, then Close
Note: Requiring a host header may impair site functionality for HTTP/1.0 clients.
Default Value:
By default, host headers are not required or set up automatically.