Support » Plugin: IP Based Login » dns-name instead of ip?

Viewing 1 replies (of 1 total)
  • Plugin Author brijeshk89



    We evaluated this feature and our team says this could be insecure for your site.

    In order to determine the DNS record we need to use $_SERVER[‘HTTP_HOST’] or $_SERVER[‘SERVER_NAME’] variables in PHP.

    The $_SERVER[‘HTTP_HOST’] and $_SERVER[‘SERVER_NAME’] variables can be changed by the user by sending a different Host header when accessing the site:

    curl -H “Host:”

    Doing that, any URLs that used $_SERVER[‘HTTP_HOST’] or $_SERVER[‘SERVER_NAME’] would use

    So lets say you allow to whitelist, some user could access your site by passing the header stating that they are accessing your site from

Viewing 1 replies (of 1 total)
  • The topic ‘dns-name instead of ip?’ is closed to new replies.