Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is HTTP "Host" header?

Tags:

http-headers

http

People also ask

How is Host header used?

The host header specifies which website or web application should process an incoming HTTP request. The web server uses the value of this header to dispatch the request to the specified website or web application. Each web application hosted on the same IP address is commonly referred to as a virtual host.

What is the purpose of host in HTTP?

Introduced in HTTP 1.1, a host header is a third piece of information that you can use in addition to the IP address and port number to uniquely identify a Web domain or, as Microsoft calls it, an application server.

Is HTTP Host header mandatory?

According to the RFC you linked here: "A client MUST include a Host header field in all HTTP/1.1 request messages". So the Host header is mandatory.

What is HTTP header with example?

An HTTP header is a field of an HTTP request or response that passes additional context and metadata about the request or response. For example, a request message can use headers to indicate it's preferred media formats, while a response can use header to indicate the media format of the returned body.

The Host Header tells the webserver which virtual host to use (if set up). You can even have the same virtual host using several aliases (= domains and wildcard-domains). In this case, you still have the possibility to read that header manually in your web app if you want to provide different behavior based on different domains addressed. This is possible because in your webserver you can (and if I'm not mistaken you must) set up one vhost to be the default host. This default vhost is used whenever the host header does not match any of the configured virtual hosts.

That means: You get it right, although saying "multiple hosts" may be somewhat misleading: The host (the addressed machine) is the same, what really gets resolved to the IP address are different domain names (including subdomains) that are also referred to as hostnames (but not hosts!).

Although not part of the question, a fun fact: This specification led to problems with SSL in early days because the web server has to deliver the certificate that corresponds to the domain the client has addressed. However, in order to know what certificate to use, the webserver should have known the addressed hostname in advance. But because the client sends that information only over the encrypted channel (which means: after the certificate has already been sent), the server had to assume you browsed the default host. That meant one ssl-secured domain per IP address / port-combination.

This has been overcome with Server Name Indication; however, that again breaks some privacy, as the server name is now transferred in plain text again, so every man-in-the-middle would see which hostname you are trying to connect to.

Although the webserver would know the hostname from Server Name Indication, the Host header is not obsolete, because the Server Name Indication information is only used within the TLS handshake. With an unsecured connection, there is no Server Name Indication at all, so the Host header is still valid (and necessary).

Another fun fact: Most webservers (if not all) reject your HTTP request if it does not contain exactly one Host header, even if it could be omitted because there is only the default vhost configured. That means the minimum required information in an http-(get-)request is the first line containing METHOD RESOURCE and PROTOCOL VERSION and at least the Host header, like this:

GET /someresource.html HTTP/1.1
Host: www.example.com

In the MDN Documentation on the "Host" header they actually phrase it like this:

A Host header field must be sent in all HTTP/1.1 request messages. A 400 (Bad Request) status code will be sent to any HTTP/1.1 request message that lacks a Host header field or contains more than one.

As mentioned by Darrel Miller, the complete specs can be found in RFC7230.


I would always recommend going to the authoritative source when trying to understand the meaning and purpose of HTTP headers.

The "Host" header field in a request provides the host and port
information from the target URI, enabling the origin server to
distinguish among resources while servicing requests for multiple
host names on a single IP address.

https://www.rfc-editor.org/rfc/rfc7230#section-5.4

Related questions

What is the difference between server side cookie and client side cookie?
Two forward slashes in a url/src/href attribute [duplicate]
What REST PUT/POST/DELETE calls should return by a convention?
How to allow http content within an iframe on a https site [duplicate]
Easy way to test a URL for 404 in PHP?
HTTP Content-Type Header and JSON
Status code when deleting a resource using HTTP DELETE for the second time
How to make HTTP Post request with JSON body in Swift
Error: No default engine was specified and no extension was provided
What is the canonical way to determine commandline vs. http execution of a PHP script?
Read url to string in few lines of java code
Preferred Java way to ping an HTTP URL for availability
Cross Domain Form POSTing
Is it possible to cache POST methods in HTTP?
How can I select and upload multiple files with HTML and PHP, using HTTP POST?
Http Basic Authentication in Java using HttpClient?
get client time zone from browser [duplicate]
How to get access to HTTP header information in Spring MVC REST controller?
Setting HTTP headers
Why is Cache-Control attribute sent in request header (client to server)?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!