Header-Based Open Redirect


It is also called Host Header Injection as Host Header is added in HTTP Request.

The attacker adds Host: attacker.com and check the response's status code is either of 301/307/308, which is for redirection.

Sometime, X-Forwarded-Host: attacker.com will give redirection to attacker.com.


Let's consider normal HTTP request,

GET / HTTP/1.1
Host: somesite.com

It gives response header as,

HTTP/2 200 OK
date: Wed, 13 May 2020 14:18:47 GMT

Now, When I add Host: attacker.com in Request Header, like

GET / HTTP/1.1
Host: attacker.com

It gives response header as,

HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://attacker.com/
Connection: close


  • It does not have much impact, as attackers can't add the Host header in the victim's request.
  • It may lead to Open redirection with the help of Web Cache Poisoning.


  • Always validate the host header.
  • Maintain Whitelist of allowed hosts.