python · starletteHeads-up
starlette: HTTP Host header validation added for request.url
HTTP Host header is now validated against RFC 9112 §3.
What changed
HTTP Host header is now validated against RFC 9112 §3.2 / RFC 3986 §3.2.2 grammar when reconstructing request.url; malformed values fall back to scope["server"].
Who it affects
Applications using Starlette that rely on request.url or request.url.path for security-sensitive decisions, especially middleware performing path-based access control.
What to do today
Upgrade to a patched version of Starlette that validates the Host header.
The trail
Collected→
Audited→
Written→
Published