Skip to main content

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY HTTP_PROXY is a popular environment variable used to configure an outgoing proxy.

:: Microsoft IIS with PHP or a CGI framework
:: For detailed information about mitigating httpoxy on IIS, you should head to the
:: official Microsoft article KB3179800, which covers the below mitigations in
:: greater detail.
:: Also important to know: httpoxy does not affect any Microsoft Web Frameworks,
:: e.g. not ASP.NET nor Active Server Pages. But if you have installed PHP or any
:: other third party framework on top of IIS, we recommend applying mitigation
:: steps to protect from httpoxy attacks. You can either block requests containing
:: a Proxy header, or clear the header. (The header is safe to block, because
:: browsers will not generally send it at all).
:: To block requests that contain a Proxy header (the preferred solution), run the
:: following command line.

%systemroot%\system32\inetsrv\appcmd set config /section:requestfiltering /+requestlimits.headerLimits.[header='proxy',sizelimit='0']