The Host request header is used to contextualise the request by defining which domain (Host) the request is intended for. The Origin Server will use this information in the event that it is configured with virtual hosts. Unlike most headers, the Host header must be the first header to follow the request field to ensure that other critical processing that might rely on this header can be successfully processed. It is, furthermore, highly advisable that this header is set, even if the resource request is in the absolute form (i.e. compatible with previous HTTP versions) as this ensures older proxies that have not implemented this header will still pass it so that compliant Origin Servers can access it.
| protocol | HTTP Header |
| type | Request Header |
| Mozilla link | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host |
| RFC | RFC7230 |
The Host header is generated by the User Agent when requesting a resource. It is used by the Origin Server to direct the resource request to the correct location. In addition it is also commonly used by applications such as Content Management Systems orient their processing based on domain name.
Host = uri-host [ ":" port ]
The Host header is intended to convey information to the Host or Virtual Host the resource request is intended for. Although not required for versions of HTTP prior to v1.1 it is advisable to provide this header unconditionally.
The Host header is not directly related or dependant on any other header, although it does work with the request field.
Example Host headers.
Host: tools.ietf.org
Host: 192.168.254.100
Host: 192.168.1.1:8000
Host: example.com:443
Note that domain names and IP addresses are supported. It is also possible to specify a port number by using a colon (:) separator.
This header is often used by malware to take advantage of its application level routing functionality to redirect a request to an alternative destination, to surreptitiously gain access to a shared cache or to poison a shared cache. An interception proxy, such as HAProxy*, is more vulnerable than most as much of its processing is dependant on the analysis of the Host header, although little provision is made to allow headers to be verified, bound to IP addresses or the resource being requested.
*HAProxy is used in this example as a intercepting proxy. This is not saying HAProxy is insecure. It is important to ensure that any such software is correctly configured by competent resource.