When could the HTTP Host header be undefined?

Asked 14/5, 2011 at 19:26 Answered 18/12, 2012 at 18:56

According to RFC 2616, which defines HTTP/1.1, the Host: header is mandatory.

A client MUST include a Host header field in all HTTP/1.1 request messages .

But the PHP manual implies that it could be empty:

'HTTP_HOST': Contents of the Host: header from the current request, if there is one.

In which situations could this header, and thus $_SERVER['HTTP_HOST'], be empty? Could my application depend on its being there?

Justinejustinian answered 14/5, 2011 at 19:26 Comment(3)

The Host: header is still 'mandatory' as per HTTPbis, but that doesn't mean it will always be present. Apache handles its absence gracefully (albeit it won't reach any configured vhost). – Communicant 14/5, 2011 at 20:40

@mario: Are there actual HTTP/1.1 clients in the wild that do not send the Host: header? – Justinejustinian 14/5, 2011 at 20:43

I wouldn't consider them real clients, and certainly none of the contemporary browsers and libraries does. But any handicrafted PHP script might. But still, it's mostly a configuration issue, not relevant for Apache vhosts. HTTP_HOST is prescreened by Apache, and I wouldn't worry about it being empty in practice. Unlikely edge case. – Communicant 14/5, 2011 at 20:52

It can be empty in HTTP 1.0. If no host header is specified, virtual hosting won't work at all, so the default vhost in your web server will be used.

I just tested this myself; in PHP under Nginx the $_SERVER['HTTP_HOST'] variable got set to the name of the virtual host, which is _ in my case. But that also depends on your fastcgi_params configuration in Nginx.

On shared hosting this is not important since the default vhost will be set to some information page from the hosting company, and so your script will not be run. Could be a good thing to keep in mind for your own server though.

Software answered 14/5, 2011 at 19:34 Comment(5)

What is meant with "HTTP_HOST"? $http_host? – Triploid 27/10, 2015 at 18:31

Good job on digging up an answer from four years ago! :-) I do not remember this problem at all, but since I have worked a lot with PHP I guess I meant the $_SERVER['HTTP_HOST'] PHP variable, which probably was sent in as an Nginx fastcgi_param. I do not have that configuration file left anymore, but reading this SO answer I am pretty sure it might have been the $host Nginx variable. – Marable 27/10, 2015 at 19:1

Thanks for the answer! Then, just to make it clear because it is a little bit confusing in the answer: nginx doesn't set $http_host to the name of the virtual host, instead, it just copies the original HTTP header field "Host" into it. And if this is empty, as is $http_host. – Triploid 27/10, 2015 at 19:23

The original question is about PHP only, not even mentioning Nginx. – Marable 28/10, 2015 at 8:8

Ah sorry! I came here through a Google search and missed the context. – Triploid 28/10, 2015 at 11:48

Crawlers (e.g. google), scrapers or even perfectly legal scripts interfacing with your API may accidentally or ignorantly skip the Host header.

I added this answer because this question came up on google when I looked for the same thing.

Abomination answered 18/12, 2012 at 18:56 Comment(0)

Recommended topics

Hot tags