Initializing help system before first use

Preventing Host Header Attacks

FICO® Xpress Insight can be configured to only permit access through the configured URL, disabling access using the direct IP address, an alternative host name, or by using localhost. This prevents a type of attack known as a Host Header Attack.
To protect Xpress Insight from a Host Header attack, complete the following steps:
  1. Use a text editor to open the file at \xpressmp\insight\server\wildfly-x.y.z.Final\standalone\configuration\standalone.xml. Within standalone.xml, find the section that contains the following text; <subsystem xmlns="urn:jboss:domain:undertow...>
  2. Add the following filter-ref element to the end of the <host> section, replacing insight.example.com:8443 with the hostname and port that users must use to access the service: 
    <filter-ref name="host-check" predicate="not(equals(%{i,host}, 'insight.example.com:8443'))"/>
  3. Within standalone.xml, add the following expression-filter element to the end of the <filters> section: 
    <expression-filter name="host-check" expression="response-code(503)"/>
  4. Restart the Xpress Insight service.

Result

These configuration settings allow Xpress Insight to be served as expected on https://insight.example.com:8443/, but will respond with 503 Service Unavailable if a user attempts to access Insight on any other url, such as https://localhost:8443/.
Parent Topic Securing FICO Xpress Insight