From 7205e1aadc10ebbcf94fcb5277d24195b60fcd2b Mon Sep 17 00:00:00 2001
From: BlaytonV <vidrineb@oregonstate.edu>
Date: Mon, 2 Jun 2025 20:47:34 -0500
Subject: [PATCH] Add section on host header injection and _external=True in
 url_for (#5718)

---
 docs/web-security.rst | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/docs/web-security.rst b/docs/web-security.rst
index d742056f..0a05db8e 100644
--- a/docs/web-security.rst
+++ b/docs/web-security.rst
@@ -293,3 +293,22 @@ pasting, so this isn't strictly necessary. It's also possible to craft
 dangerous commands in other ways that aren't possible to filter.
 Depending on your site's use case, it may be good to show a warning
 about copying code in general.
+
+Host Header Injection
+---------------------
+
+Flask’s ``url_for(..., _external=True)`` function generates full URLs based on
+the request’s ``Host`` header. If your app does not explicitly set the
+``SERVER_NAME`` config or validate incoming host headers, it may be vulnerable
+to **host header injection**. This is especially critical when generating external
+URLs used in password reset links or redirects, where an attacker can modify
+the Host header to inject malicious links.
+
+.. warning::
+
+   Always configure ``SERVER_NAME`` and/or use middleware such as Werkzeug’s
+   ``ProxyFix`` to sanitize headers when deploying behind a proxy or load
+   balancer. You may also consider validating the ``Host`` header or using
+   `trusted_hosts` to prevent this class of attack.
+
+   See also: :doc:`deploying/proxy_fix`