Slack Groverglow Slack Groverglow - 10 months ago 38
HTTP Question

What is an efficient way of checking if an url corresponds to the current machine

I have a C# application acting as an HTTP server which hypothetically can be reached at,, etc.

The server does not have this information at startup. Instead, it looks at the "host" field in every HTTP request to learn its "known names" and populates a list, i.e., ('', '', 'localhost')

If the server receives an incorrect or malicious HTTP request with an invalid host field, it will still add the wrong hostname.

I want to check the host field on HTTP requests coming into my server to see if they correspond to the current machine. Is is possible to do this without any additional network requests?

Answer Source

The app would need to test whether it's actually I don't see any other (reliable) solution. You can't necessarily rely on DNS lookups since the webapp could have a private address.

You can set up a special endpoint for these tests. The flow I imagine is something like this:

  1. The server receives a request for
  2. It's the first time that the application is asked about so to make sure that it really is, it generates and stores a large random number, say 123456 and an index, say 5.
  3. The application then sends a challenge to, passing the index as a parameter (i.e.
  4. The thread that handles this request looks up the stored random number by its index, and responds with 123456.
  5. After receiving a response of 123456, the server now knows that it really is accessible through, at least for now.

Of course other variations of this solution are possible. Note that this solution leverages the fact that the application's threads have shared memory (to store the random number and index). If the webapp is deployed in a cluster, you'd need to replace this simple authentication scheme. One way to do it would be using a shared secret and challenge-response, or some other cryptographic solution.

One other thing - in the solution I propose there's an inherent race condition between the thread storing the random number and index, and the thread verifying them. You'd need to make sure that the chosen random number and index are stored before the verification thread tries to read them. Various eventual consistency collections won't be enough to guarantee it, so they might fail from time to time.