HTTP: Is an IP address allowed in the host header field?

Question

I have read the RFC 2616 (HTTP/1.1) and I think it’s not clear regarding the above question.

As far as I understand, the purpose of the host header field is to be able to offer several domains under one IP address. So an IP address in the host header field would not make much sense. But the RFC 2616 does not explicitly prohibit that.

So my first question is: If I program a HTTP server, should I implement a check, whether the client sends an IP address in the host header field or is this unnecessary, because no client would ever do that?

Second question: If the client sends an IP address in the host header field, should the server handle it as valid or should it return "400 Bad Request"?

Answer 1

The Host header can be a raw IP literal. The appropriate RFC citations are:

• RFC7230§5.4: Host header
• RFC7230§2.7: Uniform Resource Identifiers - defines uri-host
• RFC3986§3.2.2: Host - defines host

The definition of host from RFC3986 is:

host = IP-literal / IPv4Address / reg-name

As for returning 400 Bad Request, I certainly wouldn't. If you type "http://172.217.3.100/", then the browser (or at least curl) will send Host: 172.217.3.100 in the request.