[
https://issues.apache.org/jira/browse/OFBIZ-11588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17236013#comment-17236013 ]
Jacques Le Roux commented on OFBIZ-11588:
-----------------------------------------
Hi Daniel,
In security.properties? we have:
{noformat}
# -- List of domains or IP addresses to be checked to prevent Host Header Injection,
# -- no spaces after commas,no wildcard, can be extended of course...
host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
{noformat}
So no change is needed for demos, HTH
> Have 'host-headers-allowed' validation for all local headers
> ------------------------------------------------------------
>
> Key: OFBIZ-11588
> URL:
https://issues.apache.org/jira/browse/OFBIZ-11588> Project: OFBiz
> Issue Type: Improvement
> Components: framework/security
> Affects Versions: Trunk
> Reporter: Pierre Smits
> Assignee: Pierre Smits
> Priority: Major
> Labels: CSRF, security
>
> The ip address 0.0.0.0 is missing from the list.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
