I am researching the mitigation of Host Header Attacks in IIS and ASP. In this article written by James Kettle; there are several solutions for servers using Apache and PHP. I however am looking for solutions on how this might be fixed in an IIS / ASP environment. James suggests in his article that on the server side we need to make the variable SERVER_NAME trustworthy. How is this accomplished in IIS? Can I use a Request Validation or a Whitelist? If so how might I implement this?
↧