I have one application hosted on XAMPP, my application url is https://abc.example.com/pps/prd/, i have htaccess file at pps/prd/, with following code to stop Host header injection
RewriteEngine On
RewriteCond %{HTTP_HOST} !^([a-zA-Z0-9-_]{1,20}.){0,3}example.com$
RewriteRule ^ - [F]
When i am hitting url https://abc.example.com/pps/prd/ with some other host in request header. it is working as expected i am getting 403 response from server.
My issue is when i am hitting url : https://abc.example.com/pps/prd (without trailing slash) with some other host like example123.com in request header, then i am getting response 301 moved permanently, and new request is getting initiated on host which i send in original request header in this case example123.com,https://example123.com/pps/prd/ , this should not happen.
htaccess is working as expected when URL is ending with “https://stackoverflow.com/” but not working without trailing “https://stackoverflow.com/”
mod_dir’s
DirectorySlashdirective is causing that redirect (and apparently using theHostheader value to do so), and that happens before it even gets to your mod_rewrite stuff there. So you will need to turn this off – but pay attention to the security warning in the docs there. If this would be a potential issue in your setup – then you should implement that redirect yourself via mod_rewrite as well.