ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Domain Fronting Attack Detection Feature on ProxySG or ASG


Article ID: 173281


Updated On:


ProxySG Software - SGOS


Implementing the Domain Fronting Detection feature on ProxySG or Advanced Secure Gateway.


SGOS version or later.


Domain Fronting Detection

Domain fronting is when the HTTP Host header or TCP port differs from the Host in the URL. For example:


SGOS and SGOS  introduces "" and "http.connect.port" policy gestures which would record and report the value of the actual "host" and "port" in the CONNECT request which would be obtained by parsing the request (first line). 

These policy gestures are in the VPM Source column objects are available in the Web Access Layer:

HTTP Connect Hostname: Tests the hostname (the host value in the first line of the HTTP CONNECT request) obtained from the original HTTP CONNECT request URL.

HTTP Connect Port: Tests the port (the port value in the first line of the HTTP connect request) obtained from the original HTTP CONNECT request URL.

Example using Content Policy Language (CPL) to stop a domain fronting request

The can be used with $( substitution variable to compare the value of the against the value of

For example:


This policy would block any request if the HTTP CONNECT host differs from the host in the URL.

New Access Log fields

You can add the following new access log fields to an access log format to help track possible domain fronting attempts: