Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Preventing host header attack vulnerabilities

Written By

Jordi Rodó

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • Adjusting the Host header in the request can impact page rendering, redirections, and other server-side behaviors.
  • This manipulation could potentially lead to Cross-Site Scripting (XSS) for example.

Environment

  • Liferay Quarterly Release and 7.4.
  • Liferay DXP 7.0, 7.1, 7.2, 7.3

Solution

  • Liferay comes with a servlet filter function to check a valid host 
    # The valid host name filter will check the host name from request's
    # host header. It rejects a request with invalid server name to prevent XSS
    # and other host header manipulation attacks.
    com.liferay.portal.servlet.filters.validhostname.ValidHostNameFilter=true
    • Verify the current value accessing Control Panel → System → Server Administration →Properties → Portal Properties →Search by 'ValidHostNameFilter'
  • If this filter is enabled (default), it will check along the domain specified in the following properties 
    # Input a list of comma delimited valid domains and IPs that the portal is
    # allowed to use.
    virtual.hosts.valid.hosts=*
    #virtual.hosts.valid.hosts=localhost,127.0.0.1,[::1],[0:0:0:0:0:0:0:1]
    • If you wish to check your domain, set the domain you are using to the above property
    • The default value of this property was modified as a BREAKING CHANGE.
  • It's important to note that the host validator considers some additional factors, such as the instance domain configured in the Liferay administration (Control Panel →System → Virtual Instances →'Virtual Host' column).
  • You also could implement your own webserver rules If you need a custom configuration. This approach is also recommended as an extra security measure.
  • You can test the configuration with curl while checking server logs for more information: 
    curl -H "Host: invalid.host" "http://localhost:8080/"

Additional Information

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?