Documentation forSolarWinds Platform Self-Hosted

Validate HTTP host headers

When enabled, SolarWinds Platform validates Host headers for each incoming request. The platform compares the header to a trusted list of allowed addresses and hostnames. When needed, the platform uses DNS. Unsafe or untrusted hostnames are blocked, logged, and redirected to a safe login page.

HTTP Host Header Validation protects the SolarWinds Platform from host header injection attacks. These attacks can redirect users, bypass authentication mechanisms, or enable other malicious behavior by manipulating the Host header in HTTP requests.

Configure allowed host headers

  1. Log in to the SolarWinds Platform Web Console as an administrator and go to Advanced Configuration. Adjust the SolarWinds Platform Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx

  2. Locate AllowedHttpRequestHostHeaders.

  3. Enter one or more hostnames, separated by commas.

  4. Select Save.

Restart all website services using SolarWinds Platform Service Manager.

After services restart, configured hostnames are added to the allow list. Requests using these hostnames are considered valid and do not trigger logouts.

Configure DNS Cache TTL

Each successfully validated hostname is stored in the DNS cache for the time specified in advanced settings as the configured cache Time to Live (TTL). The cache entry includes the hostname and the resolved IP addresses. When a request uses a cached hostname, the platform does not perform a DNS lookup.

  1. Log in to the SolarWinds Platform Web Console as an administrator and go to Advanced Configuration. Adjust the SolarWinds Platform Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx

  2. Locate DnsCacheTtl.

  3. Specify a value in minutes.

    Default: 60 minutes

  4. Select Save.

  5. Restart web services.

The new TTL takes effect after services restart.

Enable or disable host header validation

Disabling host header validation removes protection against host header injection attacks. Use this setting only in controlled environments.

  1. Log in to the SolarWinds Platform Web Console as an administrator and go to Advanced Configuration. Adjust the SolarWinds Platform Web Console URL as follows: [hostname]/Orion/Admin/advancedconfiguration/global.aspx

  2. Locate EnableHostHeaderValidation.

    1. To enable validating host headers, set the value to True.

    2. To disable validating host headers, set the value to False.

  3. Select Save.

  4. Restart web services.

After restart, host header validation is enabled or disabled according to your settings.