i4SCADA Knowledge Base

Prevent Host Header Injection Redirect in WCF Web Services

Abstract

Check out this article to see how you can prevent Host Header Injection Redirect in WCF Web Services.

Since i4SCADA version 3.8.13, you can prevent Host Header Injection Redirect in WCF Web Services, by following the solution provided below.

Solution
  1. Open a file explorer and locate the WCF web.config file. The default location of the WCF Web.config file is: C:\inetpub\wwwroot\_SERVICES\WEBservices\WCF\.

  2. Open the XML Configuration file using an editor application.

  3. Identify the “HostHeaderWhitelist“ key. By default, its value is empty.

    Note

    Host Header Whitelist is the list of all hosts accepted by the Webservices for any of the calls made by it.

    host_header_whitelist.jpg
  4. Between the quotation marks insert your host headers whitelist. If this is set to something (ex “hostname“) the WCF Webservices will allow calls with the host header set to the provided hostname. If this is not the case then a 404 will be retrieved and an error will be logged.

    You can also insert multiple whitelists hosts separated by a comma (',').

    host_header_whitelist_multiple.jpg
  5. Make sure you have saved your changes.