Edge Cache

Cache Poisoning

The CDN keys cache entries on URL only, but the origin reflects `X-Forwarded-Host` into the page body, so an attacker request poisons the cache for everyone else.

CWE-345
Back to hub Reload scenario
Cache audit 

  


      

    


    

      

        
Expected Findings

        
    
          
  • `X-Forwarded-Host` is reflected into anchor and form action attributes.
  • CDN cache key omits the header, so poisoned response is served to all clients.
  • `Vary` does not include the relevant headers.
    • 
        

      


      

      

        
Signals

        
        

          
Bug

          
<a href="https://${X-Forwarded-Host}/login">Login</a>

        

        
      

    


    

    

      Developed by vibe-eval.com for validation and testing purposes only.