A web server may host several web applications on the same IP address, referring to each application via the virtual host. In an incoming HTTP request, web servers often dispatch the request to the target virtual host based on the value supplied in the Host header. Without proper validation of the header value, the attacker can supply invalid input to cause the web server to:

• dispatch requests to the first virtual host on the list
• cause a redirect to an attacker-controlled domain
• perform web cache poisoning

We recommend the following configuration to be included inside the VirtualHost directive of the ssl.conf file in the OHS. The file would be available at location:

domains\<Your_domain>\config\fmwconfig\components\OHS\<OHS_instance>

<VirtualHost *:<OHS_PORT>>       
            ServerName <OHS_DOMAIN>       
            RewriteEngine on       
            RewriteOptions inherit       
            RewriteCond %{HTTP_HOST}
            !(<OHS_DOMAIN>|<OHS_DOMAIN>:<OHS_PORT>)       
            RewriteRule ^(.*)$ -[F,L]
</VirtualHost>

This will cause a request to be forbidden if the Host Header is modified to a value other than OHS_DOMAIN specified in the configuration.