A similar question has be answered here already, but I have a very specific scenario in which it didn't fulfil my requirements.
I am setting up an environment which includes a web-service running on an intranet domain.
Certain partitions are available to the public through port forwarding which impose higher security requirements in exchange. For instance, if someone accesses the application through the public domain, he will be required to solve multi-factor authentication on every login and is not allowed to have his login or browser to be remembered through cookies whose lifetime exceeds the session scope.
The idea was to simply suppress the availability of things such as the the "Remember me" functionality through evaluating the Host
header. For example:
- Intranet app is running on
198.168.0.1:45000
; - there's a port-forwarded public domain to this host named
business.someservice.com
; - if the detected host-name does not equal
198.168.0.1:45000
said features are omitted and each request has to be authenticated through MFA.
Above question's answer states that it can not be trusted, but functionality might blunder through the false host claim.
I am wondering:
- What can I do to make this approach safe? Would it suffice to do an additional check whether the client possesses an IP address within private range? And how is that not as easy to manipulate as the host?
- What damage could an attacker possibly do? If he acquired a pair of log-in credentials and tries accessing from the outside by changing the
Host
header to the intranet server, he could be able to be issued a cookie that has a longer lifespan. But he would still have to complete the initial MFA at least once unless he happens to get his hands on a valid MFA remembrance cookie for that specific user, which I assume to be very unlikely. I could only see a particularly witty employee who can authenticate in the intranet to abuse this to gain full-feature access from the outside.