A recent article in Naked Security caught my eye the other day about a new web site vulnerability called HTTPoxy. This stands for HTTP requests and poisoned proxy settings. Most web site use a technology called Common Gateway Interface (CGI) to run applications such as site search, collect information submitted on web forms, display comments, run a forum, or to display database queries such as pricing in a usable form on a web page.
The technical details of this vulnerability are explained in the Naked Security article, so I won’t repeat them here. According to the HTTPoxy website, the solution is to block HTTP proxy requests before they run in the web application, and they have instructions on how to accomplish that on their site.
The best and easiest solution is to run your website under HTTPS. This requires the installation of an SSL security certificate to your website. We just did this for a website we manage, and it was easily accomplished through the host, GoDaddy, for about $60 per year. Or if you are frugal and technically savvy, LetsEncrypt or FreeSSL may be the solution you prefer. This exploit will not work on an HTTPS website.
One of my current recommendations is to encrypt everything. Any website owner ought to convert their site to HTTPS. The added benefit to your web site visitors is that their session is encrypted and protected from prying eyes and man-in-the-middle exploits, so this is basically just good operational security and great customer service.Share