• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Not a bug Host header manipulation


New member
By manipulation of the host header Xenforo loads resources from any host provided by user input. This could be a problem when pages are being cached. A cache poisoning attack might then cause big trouble. Isn't there a fix available for this?

Thanks in advance


XenForo developer
Staff member
XenForo doesn't do page caching like that out of the box. This would be site-level URL canonicalization (to ensure the host is always what you expect) and is really something that should be handled outside of XenForo.

If you have any questions about doing this canonicalization, please associate your account with your license and post in the support forum.