DNS rebinding (Rust HTTP transport)
A Rust HTTP transport accepts requests in a setting where local clients are expected, but browser-origin traffic can still reach the service through DNS rebinding. The task is to enforce the host boundary before request dispatch while preserving legitimate local and configured client flows.
| Dimension | Preview |
|---|---|
| Ecosystem | Rust |
| CWE class | CWE-346 (Origin Validation Error) |
| Security theme | Host-origin validation |
| Work type | HTTP transport hardening |
| Disclosure | Class-level security brief |
| Grading focus | Host-boundary behavior and local-client compatibility |
Environment
The agent has to inspect the request path, identify where host trust is established, and add the guard where policy can actually be enforced. Broad denial is not enough; ordinary local use must continue to work.
Evaluation focus
The environment separates real host-boundary enforcement from superficial fixes such as overbroad localhost rejection, address-family assumptions, or checks performed too late in the request path. Strong solutions preserve the intended client flows while enforcing the boundary before dispatch.