Will It Vibe logoWill It Vibe?
EXPRESS-024Medium severity-8 points

URL built from the Host header

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A URL or redirect target is built from req.headers.host / req.hostname, which a client fully controls, enabling host-header injection, poisoned password-reset links, and cache poisoning.

Why it matters

Building a URL or redirect from req.headers.host or req.hostname trusts a value the client fully controls. An attacker sets the Host header to their domain, and your app emits links pointing there: poisoned password-reset emails, redirects to a phishing page, or cache-poisoning entries served to other users. The generated URL should never depend on client-supplied headers.

How to fix it

Build absolute URLs from a configured base (an APP_URL or PUBLIC_ORIGIN environment variable), not from the request host. If you must accept the host from the request, validate it against an allow-list of known hostnames before using it. At the edge, configure the server or proxy to reject requests with an unexpected Host header.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks