Description

The trusted_host_patterns setting is not configured for your Drupal installation. This setting can be configured from settings.php and protects against HTTP Host Header attacks. This should be an array of regular expression patterns, representing the hosts you would like to allow. It's recommended to configure this setting in a production website.

Remediation

Edit settings.php and configure trusted_host_patterns as you can see in the example below.

In this example, the site is only allowed to run from www.example.com. 

$settings['trusted_host_patterns'] = [
  '^www\.example\.com$',
];

References

Protecting against HTTP HOST Header attacks

Drupal Security: Top tips to secure your Drupal application

Related Vulnerabilities

Apache perl-status enabled

PHP enable_dl enabled

Web Cache Poisoning through HTTP/2 pseudo-headers

SAP Management Console list logfiles

ASP.NET WCF service include exception details

Severity

Medium

Classification

CWE-16 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Configuration