According to RFC 2616, which defines HTTP/1.1, the <code>Host:</code> header is mandatory. <blockquote> A client MUST include a Host header field in all HTTP/1.1 request messages . </blockquote> But the PHP manual implies that it could be empty: <blockquote> 'HTTP_HOST': Contents of the Host: header from the current request, if there is one. </blockquote> In which situations could this header, and thus <code>$_SERVER['HTTP_HOST']</code>, be empty? Could my application depend on its being there?

It can be empty in HTTP 1.0. If no host header is specified, virtual hosting won't work at all, so the default vhost in your web server will be used. I just tested this myself; in PHP under Nginx the <code>$_SERVER['HTTP_HOST']</code> variable got set to the name of the virtual host, which is <code>_</code> in my case. But that also depends on your fastcgi_params configuration in Nginx. On shared hosting this is not important since the default vhost will be set to some information page from the hosting company, and so your script will not be run. Could be a good thing to keep in mind for your own server though.

When could the HTTP Host header be undefined?

According to RFC 2616, which defines HTTP/1.1, the Host: header is mandatory.

A client MUST include a Host header field in all HTTP/1.1 request messages .

But the PHP manual implies that it could be empty:

'HTTP_HOST': Contents of the Host: header from the current request, if there is one.

In which situations could this header, and thus $_SERVER['HTTP_HOST'], be empty? Could my application depend on its being there?

Is HTTP host header mandatory?

The HTTP host header is a request header that specifies the domain that a client (browser) wants to access. This header is necessary because it is pretty standard for servers to host websites and applications at the same IP address. However, they don't automatically know where to direct the request.

What is the host header in HTTP request?

The Host request header specifies the host and port number of the server to which the request is being sent. If no port is included, the default port for the service requested is implied (e.g., 443 for an HTTPS URL, and 80 for an HTTP URL). A Host header field must be sent in all HTTP/1.1 request messages.

Do all browsers send host header?

Yes, all mainstream browsers send the Host header as it is mandatory for all requests sent via HTTP/1.1.

Can host header be spoofed?

However, if a web-server relies on the supplied value of the Host header, a malicious user can provide a spoofed value to generate misleading links on your website and in transactional emails.

It can be empty in HTTP 1.0. If no host header is specified, virtual hosting won't work at all, so the default vhost in your web server will be used.

I just tested this myself; in PHP under Nginx the $_SERVER['HTTP_HOST'] variable got set to the name of the virtual host, which is _ in my case. But that also depends on your fastcgi_params configuration in Nginx.

On shared hosting this is not important since the default vhost will be set to some information page from the hosting company, and so your script will not be run. Could be a good thing to keep in mind for your own server though.

When could the HTTP Host header be undefined?

Tags:

http-headers

http

php

Tim

People also ask

1 Answers

Emil Vikström

Recent Activity

Donate For Us

When could the HTTP Host header be undefined?

Tags:

http-headers

http

php

Tim

People also ask

1 Answers

Emil Vikström

Related questions

Recent Activity

Donate For Us