Validate Host Header:
- When a server receives an HTTP request, it looks at the Host header.
- Make sure the Host header only allows specific values that you trust.
Whitelist Loopback Addresses:
- If your service is on the loopback interface (like localhost), only allow specific values, such as “localhost” and reserved numeric addresses like “127.0.0.1”.
- For example, if your service is on “127.0.0.1:3000”, check that the Host header strictly contains “127.0.0.1:3000” or “localhost:3000”.
Authentication for Network Services:
- For services accessible over the network, always require authentication. This ensures that only authorized users can access your services.
Don’t Rely on Filtering DNS Responses:
- Filtering DNS responses (like blocking certain addresses) is not enough. It’s not a reliable defense against DNS rebinding attacks.
Consider Additional Loopback Addresses:
- Depending on your setup, you might need to whitelist other loopback addresses like “127.0.0.2” for extra security.
Beware of Singularity Bypass:
- Be cautious of Singularity, a technique that can bypass filters in specific situations (like responding with a localhost record in Google Chrome).
- Your defense strategy should not solely rely on DNS response filtering.