According to RFC 2616, which defines HTTP/1.1, the Host:
header is mandatory.
A client MUST include a Host header field in all HTTP/1.1 request messages .
But the PHP manual implies that it could be empty:
'HTTP_HOST': Contents of the Host: header from the current request, if there is one.
In which situations could this header, and thus $_SERVER['HTTP_HOST']
, be empty? Could my application depend on its being there?
The HTTP host header is a request header that specifies the domain that a client (browser) wants to access. This header is necessary because it is pretty standard for servers to host websites and applications at the same IP address. However, they don't automatically know where to direct the request.
The Host request header specifies the host and port number of the server to which the request is being sent. If no port is included, the default port for the service requested is implied (e.g., 443 for an HTTPS URL, and 80 for an HTTP URL). A Host header field must be sent in all HTTP/1.1 request messages.
Yes, all mainstream browsers send the Host header as it is mandatory for all requests sent via HTTP/1.1.
However, if a web-server relies on the supplied value of the Host header, a malicious user can provide a spoofed value to generate misleading links on your website and in transactional emails.
It can be empty in HTTP 1.0. If no host header is specified, virtual hosting won't work at all, so the default vhost in your web server will be used.
I just tested this myself; in PHP under Nginx the $_SERVER['HTTP_HOST']
variable got set to the name of the virtual host, which is _
in my case. But that also depends on your fastcgi_params configuration in Nginx.
On shared hosting this is not important since the default vhost will be set to some information page from the hosting company, and so your script will not be run. Could be a good thing to keep in mind for your own server though.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With