Configuring protection from the host header injection

Available from 9.2.29.

To protect your environment from the host header injection, define the list of hostnames or IP addresses that are allowed in the Host or X-Forwarded-Host header.

1. Define the list of hostnames or IP addresses that are allowed in Host or X-Forwarded-Host header.
   1. Open the lmt_settings.yml file. By default, the file is in the following location.
      • /opt/ibm/LMT/wlp/usr/servers/server1/config/lmt_settings.yml
      • C:\Program Files\ibm\LMT\wlp\usr\servers\server1\config\lmt_settings.yml
   2. In the allowed_hosts parameter, provide the list of hostnames or IP addresses separated with a comma. Provide the hostname or IP address that is used to access the License Metric Tool user interface and hostnames or IP addresses of all proxy servers that are used.
2. Enable filtering hostnames and IP addresses.
   1. Open the jvm.options file. By default, the file is in the following location.
      • /opt/ibm/LMT/wlp/usr/servers/server1/jvm.options
      • C:\Program Files\ibm\LMT\wlp\usr\servers\server1\jvm.options
   2. Uncomment the following line: -DFILTER_ALLOWED_HOSTS=true.
3. For the changes to take effect, restart the License Metric Tool server.
   1. Stop the server.
   2. Start the server.

Results

If a request that uses a hostname or IP address that is not listed is detected, the request is redirected to the first hostname that is listed as allowed.