2.4.2 Ensure requests for unknown host names are rejected

Information

Your host header should be part of a predefined allowlist of known good hosts, which enables blocking access to other hosts. You should treat the host header as another input to be validated, as it is defined by the user agent.

Rationale:

Allowlisting specific hosts and blocking access to all other hosts, you help to mitigate host header injection attacks against your server. Such attacks could be used by an attacker to redirect you to a rogue host and execute scripts or get you to input credentials.

Impact:

If you are in an environment such as the cloud, you should not put an IP address or default hostname as your server_name because these addresses are often ephemeral in nature. Additionally, you will be blocked from accessing your site if you use a means of access that does not directly reference names in the server_name directive. You should reserve a DNS name to use for implementing this recommendation.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Ensure your first server block mirrors the below in your nginx configuration, either at /etc/nginx/nginx.conf or any included file within your nginx config:

server {
return 404;
}

Then investigate each server block to ensure the server_name directive is explicitly defined. Each server block should look similar to the below with the defined hostname of the associated server block in the server_name directive. For example, if your server is cisecurity.org, the configuration should look like the below example:

server {
listen 443;
server_name cisecurity.org;
.....
}

Default Value:

This is not set by default.

See Also

https://workbench.cisecurity.org/benchmarks/17381

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|5.1

Plugin: Unix

Control ID: aecf6870936738c4496d6bdf4840a606dc525670ed73bae427bfbc195a281455