Configuring the Host Header validation whitelist

Host header validation is the process of ensuring that the Host header or X-Forwarded Host header provided by the user call matches an endpoint supported by the application. The purpose of the validation is to block any attempts of injection of harmful payloads.

  1. Access the Grid Management Pages as grid-admin.
  2. Select Configuration > Grid Properties and expand the Grid HTTP Configuration group.
  3. Ensure that the Host Header Validation property is set to True.
  4. Configure the Host Header Validation Whitelist property, ensuring that it only contains valid and required hosts. For example, ELB addresses or other valid server aliases can be listed here.
    Note: These addresses are already considered valid, and should be omitted from the whitelist:
    • External addresses configured in the Grid routers
    • Internal router and host addresses identities
    • Localhost
    • Loopback