WARNING
Request headers and response headers are not the same things. Some might have same name though, think Content-Type.
Host
Necessary in HTTP 1.1.
HTTP communication:
- we provide address
- we're asking DNS for target
IP - we connect to
IP:80and send request withHost: target.comheader - for this header we can use other address, even the one we don't have in DNS
- this could be used to locate hidden virtual domains
Could be used to find SSRF.
Might contain addresses in IPv6 that cause erroneous behavior
vuln
Attacker who knows the Target's email initiates the Password Reset, but comes to /password-reset with Host: another-site.com.
The vulnerable application uses Host to generate Password Reset Link. The link is sent to the Target.
The Target clicks in link and the one-use token is probably sent to another-site.com.
request
Referer
WARNING
Yep, it's Referer not Referrer...
Contains the full URL of the site that we've been on before clicking the URL (the current site's URL). Some servers log Referer values by default. The logged URL might contain some sensitive data (session ID, password reset token, full url to Allegro.pl erotic stuff category) that would be logged. Data leak. - https://www.ezequiel.tech/p/10k-host-header.html
TIP
Tokens in URL should be of one use only
WARNING
If target uses HTTPS, the Referer value will be sent if the current page is also HTTPS.
Referrer-Policy
WARNING
...and here it's Referrer.
Use Referrer-Policy: no-referrer not to send Referer header.
Cookie
Sends a cookie or cookies to the server.
X-Forwarded-For
An exceptionally interesting header with the potential to breach security.
response
Strict-Transport-Security (response header)
One of the headers that can directly increase the security of an application.
Location (response header)
Implements client redirection to another address.
Set-Cookie (response header)
Sets a cookie to the client.
Server (response header)
Sometimes reveals the type/version of the used HTTP server.