Validating Incoming Http requests

amjad · July 21, 2025, 6:45am

Hi Elastic community,

Hope everyone is doing well, and thank you for your support so far.

We’ve encountered a vulnerability related to incoming HTTP requests. We're currently using cURL APIs to create users in Elasticsearch. The host we're using is elksip.til.com:9200, which points to a load balancer hosted on Azure.

During a recent VAPT (Vulnerability Assessment and Penetration Testing), our security team used Burp Suite for testing. They found that even when the Host header was modified to a malicious domain like www.hackers.com, the request was still processed successfully and the user was created — without any errors.

We would like to restrict access so that only requests with the correct Host header (i.e., elksip.til.com:9200) are allowed.

How can we enforce this validation in Elasticsearch 7.11? Is there any recommended way to ensure only requests with the expected Host header are processed?

Looking forward to your guidance.

Thanks!

DavidTurner · July 21, 2025, 8:08am

Elasticsearch 7.11 went EOL almost 3 years ago long. If you are concerned about security or other bugs, you must use only supported and maintained versions. You need to upgrade to a supported version as a matter of urgency.

The Host header is only relevant to services that implement virtual hosting, which does not include Elasticsearch, so it is deliberate that Elasticsearch ignores this header.

Topic		Replies	Views
Configure HTTP-server elasticsearch Elasticsearch	2	712	January 25, 2021
ERROR: Invalid Host Header Requests Elasticsearch elastic-stack-security , language-clients	8	1865	April 27, 2023
Allow only localhost access Elasticsearch	2	1362	July 6, 2017
HTTP Security Header Not Detected - Vulnerability Elasticsearch	6	1005	August 6, 2019
Restricting access via an intermediate layer Elasticsearch	4	354	July 6, 2017

Validating Incoming Http requests

Related topics