Configure the Sophos Mobile web server
Sophos Mobile includes a web server component for providing the content of the Sophos Mobile Admin and Sophos Mobile Self Service Portal web applications. You can configure the web server to adjust it to your environment.
HTTP requests to a web server include a Host field in the request header, specifying the web application to process the request. An attacker can potentially manipulate the value of that Host field to provoke unintended behavior.
After installation, the web server component of Sophos Mobile doesn’t verify the value of the Host field. We recommend you configure the web server so that it only accepts requests directed to your domain name.
On the computer on which you’ve installed the Sophos Mobile server, run the script
Replace %MDM_HOME% by your Sophos Mobile installation folder.
Open the file
%MDM_HOME%\wildfly\standalone\configuration\smc-config.xmlin a text editor and search for the following section:
<filter name="hostheadervalidation" ...> <param name="allowedHosts" value="localhost"/> </filter>
localhost, add your domain name for Sophos Mobile Admin and for the Sophos Mobile Self Service Portal.
For example if your domain name is
smc.example.com, change the line as follows:
<param name="allowedHosts" value="localhost,smc.example.com"/>
If your Sophos Mobile server can be accessed under more than one domain name, enter all names separated by commas.
Save the file
- Restart the Sophos Mobile service.