Configure Host Header Injection Prevention

This feature allows the Control Center (CC) administrator to configure hostnames and IP addresses for secure access to the application.

Attention: This feature is available starting with version IBM Sterling Control Center 6.2.1.0 iFix15.

Control Center administrators can enable or disable this feature based on their requirements.

This feature is disabled by default for both container-based and non-container environments.

Steps to Enable and Configure Host Header Injection Prevention

Navigate to <installation directory>\web\ccbase\etc\jetty.xml.

Set the value to true for enabled attribute as shown below.

<Call name="enabled">
  <Arg type="java.lang.Boolean">true</Arg>
</Call>

Define the allowed hostnames/IP addresses from which the application can be accessed under the allowedList section. Example:

<Callname="allowedList">
  <Arg>
    <Array type="java.lang.String">
      <Item>ccdev1.com</Item>
      <Item>ccdev2.com</Item>
      <Item>192.168.1.1</Item>
      <Item>192.168.1.10</Item>
    </Array>
  </Arg>
</Call>

Restart the event processor.
Repeat these steps for each event processor.

Steps to Disable Host Header Injection Prevention

Navigate to <installation directory>\web\ccbase\etc\jetty.xml.
Disable the feature by setting the enabled attribute to false, as shown below:
```
<Call name="enabled">
  <Arg type="java.lang.Boolean">false</Arg>
</Call>
```
When this feature is turned off, the system does not refer to the allowedList. Any configurations under the allowedList attribute become irrelevant.
Restart the event processor.
Repeat these steps for each event processor.

Important:

IBM Sterling Control Center automatically allows the hostname and IP address of the machine it is running on.
If the system runs under a load balancer, or requires access through different IPs or hostnames, those IPs and hostnames must be configured as mentioned in Steps to Enable and Configure Host Header Injection Prevention.