W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: Host header with an empty value?

From: Willy Tarreau <w@1wt.eu>
Date: Sat, 16 Mar 2013 19:15:28 +0100
To: Zhong Yu <zhong.j.yu@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20130316181528.GF9060@1wt.eu>
On Sat, Mar 16, 2013 at 12:35:57PM -0500, Zhong Yu wrote:
> >         GET /alive HTTP/1.1
> >         Host:
> 
> Is this really a legitimate HTTP request?

I know at least one server which accepts it but does not accept a
request without "Host".

> We can't construct an HTTP
> URL from it, so it's unclear what it is requesting.

Ii depends. When all you need is direct connectivity (I mean an
address-agnostic request), http:///path/ could very well be valid.
For example when you connect over a local unix socket, you have no
ip nor address to indicate either in the request.

> Of course, the load balancer doesn't care about legality when it just
> wants to do a ping. Then why not simply send a request *without* Host
> header? Certainly the server will not crash because of that. The load
> balancer should receive a 400 response.

The server will return a 400 indicating an error instead of processing
it as a valid request.

You'll also note that on a number of web sites you can get the default
Host name when you only know the ip:port by sending such a request,
because they respond with a 301 redirect with the FQDN in the URL :-)

Willy
Received on Saturday, 16 March 2013 18:16:02 GMT

This archive was generated by hypermail 2.3.1 : Saturday, 16 March 2013 18:16:03 GMT