URL built from the Host header
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A URL or redirect target is built from req.headers.host / req.hostname, which a client fully controls, enabling host-header injection, poisoned password-reset links, and cache poisoning.
Why it matters
Building a URL or redirect from req.headers.host or req.hostname trusts a value the client fully controls. An attacker sets the Host header to their domain, and your app emits links pointing there: poisoned password-reset emails, redirects to a phishing page, or cache-poisoning entries served to other users. The generated URL should never depend on client-supplied headers.
How to fix it
Build absolute URLs from a configured base (an APP_URL or PUBLIC_ORIGIN environment variable), not from the request host. If you must accept the host from the request, validate it against an allow-list of known hostnames before using it. At the edge, configure the server or proxy to reject requests with an unexpected Host header.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo