I have read the RFC 2616 (HTTP/1.1) and I think it’s not clear regarding the above question.
As far as I understand, the purpose of the host header field is to be able to offer several domains under one IP address. So an IP address in the host header field would not make much sense. But the RFC 2616 does not explicitly prohibit that.
So my first question is: If I program a HTTP server, should I implement a check, whether the client sends an IP address in the host header field or is this unnecessary, because no client would ever do that?
Second question: If the client sends an IP address in the host header field, should the server handle it as valid or should it return "400 Bad Request"?
The Host
header can be a raw IP literal. The appropriate RFC citations are:
uri-host
host
The definition of host
from RFC3986 is:
host = IP-literal / IPv4Address / reg-name
As for returning 400 Bad Request
, I certainly wouldn't. If you type "http://172.217.3.100/", then the browser (or at least curl) will send Host: 172.217.3.100
in the request.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With