<div>
The primary advice in the article is &nbsp;&quot;don’t trust the host header.&quot;, like how you never trust URL or FORM variables. &nbsp;Since it's client supplied, don't construct code that uses the raw host header like this: &nbsp; &nbsp;<br />
<br />

<pre><code id="code-20-42568886-1">&lt;form method=&quot;post&quot; action=&quot;#CGI.HTTP_HOST#/somescript.cfm?param1=aaa&amp;param2=bbbb&quot; &gt; ... OR
&lt;script src=&quot;http://#CGI.HTTP_HOST#/script.js&quot;&gt; ... OR
&lt;a href='http://#getHttpRequestData().headers[&quot;Host&quot;]#/resetpassword.cfm?param1=xxxxxxx'&gt;Reset&lt;/a&gt;</code></pre>
<br />
If you're using IIS, <a href="https://security.stackexchange.com/questions/54572/iis-host-header-attacks" rel="ugc">this thread </a> also suggests using bindings to prevent the requests from reaching the web site. &nbsp;Sounds aimilar to the whitelist concept mentioned in the article.
</div>


The primary advice in the article is  "don’t trust the host header.", like how you never trust URL or FORM variables.  Since it's client supplied, don't construct code that uses the raw host header like this:    



<form method="post" action="#CGI.HTTP_HOST#/somescript.cfm?param1=aaa&param2=bbbb" > ... OR
<script src="http://#CGI.HTTP_HOST#/script.js"> ... OR
<a href='http://#getHttpRequestData().headers["Host"]#/resetpassword.cfm?param1=xxxxxxx'>Reset</a>


If you're using IIS, this thread [https://security.stackexchange.com/questions/54572/iis-host-header-attacks] also suggests using bindings to prevent the requests from reaching the web site.  Sounds aimilar to the whitelist concept mentioned in the article.

<div>
Thanks _agx_ . This issue definitely required a seasoned Programmer to respond. Could you point me to bindings in IIS? I need to forward it to my admin guys.
</div>


Thanks _agx_ . This issue definitely required a seasoned Programmer to respond. Could you point me to bindings in IIS? I need to forward it to my admin guys.

<div>
<div class="content wysiwyg-content">
Experts, <br />
<br />
How to Address <a href="https://www.acunetix.com/blColdFusions/automated-detection-of-host-header-attacks/" rel="ugc">Host Header Attack </a>in <br />
ours is a coldfusion site.
</div>
</div>


Experts, 

How to Address Host Header Attack  (https://www.acunetix.com/blColdFusions/automated-detection-of-host-header-attacks/)in 
ours is a coldfusion site.

Address Hostheader attack issue security fix in ColdFusion.

ColdFusion is a server-side rapid application development platform originally created by Allaire and now sold by Adobe, implementing the dynamic general purpose CFML programming language. The term ColdFusion is sometimes colloquially used to refer to the CFML language (Cold Fusion Markup Language), but can also include discussions of the server software implementation. ColdFusion runs using a customised version of Apache Tomcat. Earlier versions are bundled with JRun.

ColdFusion Language

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.