disclose private IP addresses and routing information to unauthorized parties.
You can try this setting:
- Go to IIS Manager and click on the website
- Double click on "Configuration Editor"
- Go to "system.webServer/serverRuntime"
- Enter the public domain name of the website into "alternateHostName" field
- Make sure "enabled" parameter is set to "False" and Click "Apply"
- Reset IIS
How to Prevent Host Header Attacks?
You can use URL Rewrite rules in IIS to find malicious host headers. Perform the steps below:
- Click on the site in IIS Manager
- Go to "URL Rewrite" (it should be installed first)
- Click "Add Rule(s)"
- Select "Blank rule"
- For "Match URL" section, enter (.) into the "Pattern"
- In "Conditions" section, click "Add"
- Enter {HTTP_HOST} into "Condition input"
- Select "Does Not Match the Pattern" from "Check if input string" list
- Enter ^([a-zA-Z0-9-_]+.)*domain.com$ into "Pattern" field (change domain name with yours)
- For the "Action” section, select “Redirect" from the "Action type" list
- Enter your domain address (https://domain.com/) in the "Redirect URL"
- Select "Permanent (301)" from the "Redirect type" list
- Click "Apply"
More information you can refer to this link: 1031958
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.