Meteor's force-ssl package uses Meteor.absoluteUrl() - but what if wildcard subdomains are pointing to the same app instance?

If you use the core force-ssl package with wildcard subdomains all pointing to the same server, then when navigating to http://demo.example.com, you’ll get redirected to https://example.com (assuming you started your app instance with ROOT_URL="https://example.com").

That’s not good if you’re detecting the subdomain in app code and serving up different content based on that.

In the last commit to the force-ssl package, the following change was made:

var host = req.headers.host || 'no-host-header';

was replaced with

var host = url.parse(Meteor.absoluteUrl()).hostname;

By forking the package and changing that line back to the original, I can get http://demo.example.com to redirect to https://demo.example.com.

So there is a working solution, but I’m not entirely happy with having to hack the package source. From the code comments before that change (below), it appears there was a good reason for making the change:

// if we don't have a host header, there's not a lot we can do. We
// don't know how to redirect them.
// XXX can we do better here?

Does anyone have a better way of achieving this?

Actually, this is implemented because of a security issue. We should not trust host header. If we do this, someone can deface our web app with force-ssl.

If you need a custom solution, you need to remove force-ssl package and try to implement something similar. In that also, don’t trust the host header. Do some validations.

1 Like

Is the security issue mentioned essentially that they could inject code into the req.headers.host variable and have that run on the server? Or is it just that they could spoof the value?

No it’s not something like that. I’m quite not remember the exact case.
But, someone can change the host header before it reaches the server. There are plenty of ways to do that.

Then, if some one visit to the http://site.com, it’ll ask browser to redirect into https://badsite.com

That’s the issue.

Phew. I was going to get a bit paranoid if that had been the case and start frantically searching for anywhere I was using the host header! :blush:

Yeah! You should :smile:

Meteor remove the use of host header is many places. I think they removed it from spiderable as well.

Thanks for this, Arunoda. That’s the good reason for making the change!