Password reset and web-cache poisoning (And a little surprise in RFC-2616) 2020 update: I've designed an up to date and in-depth exploration of this topic with interactive labs, which you can find at HTTP Host header attacks. The original post is preserved below: Introduction How does a deployable web-application know where it is? Creating a trustworthy absolute URI is trickier than it sounds. Dev