Domain Fronting

Domain fronting is a technique that exploits CDN and cloud provider routing to disguise the true destination of HTTPS traffic. The attacker sends an HTTPS request with a popular, benign domain in the SNI (Server Name Indication) field — which is visible to network monitors — while placing the actual target domain in the encrypted HTTP Host header. Because both domains share the same CDN infrastructure and IP range, traffic appears to go to the fronted domain but is internally routed to the attacker's domain. Domain fronting has been used by censorship-circumvention tools and malware operators. Major cloud providers (Google, AWS, Cloudflare) have progressively disabled this capability by enforcing SNI/Host consistency.