[keycloak-user] Host Header Attack behind Load Balancer
Hylton Peimer
hylton.peimer at datos-health.com
Thu Jun 14 10:43:21 EDT 2018
A Google Load balancer is proxying HTTP request to a Keycloak instance
[container running in Kubernetes].
A penetration test revealed that its possible to inject "X-FORWARDED-HOST"
with a malicious host name, and Keycloak will accept this (login page).
Is there a way to tell Keycloak (3.4) to only access web requests matching
a given host?
Thanks
Hylton Peimer
More information about the keycloak-user
mailing list