What is a IIS host header

 

Most websites do not have their own individual server, instead they share a server along with multiple other websites and applications. All websites hosted from this server will therefore have the same IP address. This can be problematic as the server can’t differentiate which website to serve if many  websites are hosted on the same IP address and port. It will serve the default website regardless of the requested domain.

 

To be directed to the correct website on a server, there must be a way to differentiate between all the individual sites hosted on a server. Each website has a unique header, which when typed into a browser in the form of a URL, tells the server which website is trying to be accessed and navigates to the correct page.

 

 

The difference between a host header and a URL

 

A host header is a component of a URL, found in the HTTP request which is used by the web server to identify which website to serve. On the other hand a URL is a full address a browser uses to locate and retrieve a specific resource on the internet.

 

Why use host headers

 

Using host headers can reduce the risk of specific types of attacks on a website. In order to reduce the possibility of DNS rebinding attacks and IP-based scans, all web-sites allowing HTTP/HTTPS over ports 80/443 will be assigned default Host headers.

 

Along with security benefits, hosting multiple websites on one server saves money, increases efficiency through managing all websites from a single server simplifying administration and allows for scalability both of individual websites and adding more sites to a server.

 

Additionally,  there are more websites on the internet than IPv4 addresses available, therefore IP addresses must be shared and a way to differentiate between them is necessary.

 

Disable IPv6

 

What is a wildcard host header

 

A wildcard host header in IIS allows a single website configuration to handle requests for multiple subdomains under a domain. It simplifies the management of numerous subdomains and provides flexibility in handling web traffic efficiently.

 

This sometimes takes the form of a word before the website name in a URL for each subdomain, for example: home.example.com, blog.example.com, contact.example.com.

 

It is important to configure wildcard host headers correctly. If both a wildcard DNS entry and a wildcard host header are configured, there is a risk that the server might unintentionally serve data to more domains than intended.

 

To understand more about wildcards and how to configure, see this article by Microsoft.

 

CIS compliance

 

How to configure IIS host headers

 

There are multiple ways to access configuration of host header settings, varying depending on the version of IIS being run.

 

To configure host headers, start by obtaining a listing of all sites by using the following appcmd.exe command:

 

Enter the following command in AppCmd.exe to configure the host header:

%systemroot%\system32\inetsrv\appcmd.exe set config –

section:system.applicationHost/sites /”[name='<website

name>’].bindings.[protocol=’http’,bindingInformation=’*:80:<host

header>’].bindingInformation:”*:80:<host header>”” /commit:apphost

 

OR

 

Enter the following command in PowerShell to configure the host header:

Set-WebConfigurationProperty -pspath ‘MACHINE/WEBROOT/APPHOST’ -filter

‘system.applicationHost/sites/site[@name='<website

name>’]/bindings/binding[@protocol=’http’ and @bindingInformation=’*:80:’]’ –

name ‘bindingInformation’ -value ‘*:80:<host header value>’

 

OR

 

Perform the following in IIS Manager to configure host headers for the Default Web Site:

 

  1. Open IIS Manager
  2. In the Connections pane expand the Sites node and select Default Web Site
  3. In the Actions pane click Bindings
  4. In the Site Bindings dialog box, select the binding for which host headers are

going to be configured, Port 80 in this example

  1. Click Edit
  2. Under host name, enter the sites FQDN, such as <www.examplesite.com>
  3. Click OK, then Close

 

Note: Requiring a host header may impair site functionality for HTTP/1.0 clients.

 

 Default value

 

By default, host headers are not required or set up automatically.

 

(Robert McMillen shows you how to use Host Headers in IIS video)

Best practices for configuring IIS host headers

 

Host headers offer many advantages and are vital to being able to use websites and services as we do today. However as can be seen with wildcard host headers it can be easy to misconfigure these settings leaving attack surfaces bare.

 

This is why it is recommended to do server hardening, ensuring all settings are optimally configured safeguarding data and websites.

You might be interested