Major Description
Nexus 3.2.0 added header validation to prevent certain attack vectors, for example making sure the host header contains a value that matches IP addresses, host names and port values, and patterns according to RFC-1123.
In a customer security conscious environment, it is desirable to restrict NXRM further, to accept an even more stringent set of values.
Expected
A Nexus administrator should be able to configure patterns, ideally regex based, that will be used to match against incoming HTTP header values. If a header exists, and the value of the header does not match all of the whitelisted patterns, then the request will be rejected with an error before performing any other processing.
Any default patterns that NXRM already validates against need not be circumvented, as default patterns Nexus uses are for the protection of the server in general. The improvement is about making validation even more restrictive - for example only allowing a few specific host names in the host header.
Header values which aggregate from multiple sources ( ie. Host, X-Forwarded-Host, Jetty org.eclipse.jetty.server.ForwardedRequestCustomizer.setHostHeader() ) should also be considered.