Close popover
Greg Parks (GPARKS952)
Unitedhealth Group, Inc.
Pega Application Architect
Unitedhealth Group, Inc.
GPARKS952 Member since 2014 6 posts
Unitedhealth Group, Inc.
Posted: August 25, 2016
Last activity: August 30, 2016

Host HTTP Header(s) and X-Forwarded-Host in PRPC 7.1.8

Does Pega use these, or expect these headers to have certain values?  I think not based on what I'm getting from our security team, but what can I/should I do about it?


We had a whitehat scan of our application; the team reports that it's possible to inject Host [HTTP] header and X-Forwarded-Host and Pega is passing these back unmodified, which is a vulnerability for attack.


So, does Pega use these?  I note that in 7.2.1, X-Forwarded-* will "replace" ContextRewriteEnabled mechanism for generating absolute URLs; but can I just (for now) disable these?

How would I do that?  Is this an application server setting, or web server, or what?  (We have an F5 fronting IHS web server, and Websphere Application Server [8.5, if I recall, but I'm not sure the version]; so what config do I need to change?)


Or, is Pega using these, and if so, how are bad values being passed thru??

***Updated by Moderator: Marissa to update categories***


Moderation Team has archived post,
Close popover This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.