Rejecting clients with an invalid Host: header
This short article describes how to use mod_security to block HTTP clients with a broken or missing Host: header. The IfModule lines are not mandatory.
Please read the mod_security docs for more details.
<IfModule mod_security2.c>
SecAuditEngine Off
# Block connect and trace requests
SecRule REQUEST_METHOD "^((?:connect|trace))$" "log,drop,phase:1"
# Block requests without a User-Agent header
SecRule &REQUEST_HEADERS:User-Agent "@eq 0" "log,drop,phase:1"
# Block requests without a Host: header
SecRule &REQUEST_HEADERS:Host "@eq 0" "log,drop,phase:1"
# Block requests without a User-Agent header
SecRule REQUEST_HEADERS:User-Agent "^$" "log,drop,phase:1"
# Block requests without a Host: header
SecRule REQUEST_HEADERS:Host "^$" "log,drop,phase:1"
</IfModule>
Thanks to Vegar for the contribution!