IBM Support

Addressing HTTP header injection issues reported against IBM InfoSphere Information Server.



Security scans may report HTTP header injection issues against Information Server.


A Security scan has reported an HTTP header injection issue against Information Server.


Configuration settings in WebSphere


Information Server installations at any release level, with stand-alone or clustered WebSphere

Diagnosing The Problem

The Scan report may indicate an Error 302 was reported after host header injection.

Resolving The Problem

See WebSphere Application Server information on Security Hardening which provides specific instructions that must be followed to harden production environments.


In the WebSphere Administration console:

  1. Navigate to Environment twisty-> Virtual Hosts ->Hosts -> default host -> Host Aliases
  2. Replace “*” with the hostname and select the ports that will be part of this virtual host.
    For example, ports 9080, 80, 9443, 5060, 5061, 443, 9081, 9444.

Any subsequent attempt of Host header injection using your specific host name will result in 404 Not Found errors, and redirection to the injected host will not occur.

If for any reason, the above steps do not work, see for alternative steps from the IBM HTTP Server team.

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"11.7;11.5;11.3","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
08 August 2022