Home / server / Questions / 1060208
Accepted
ImBoredAllTheTime
Asked: 2021-04-13 21:39:14 +0800 CST

Is the Host: header required over SSL?

  • 772

Is the Host: header required over SSL even if the request is not HTTP/1.1?

So, if a client connects over SSL, and sends the following request:

GET / HTTP/1.0
  1. Should the web server throw a bad request due to the missing Host: header?
  2. Should the web server respond with an HTTP/1.0 200 OK response?
    (the index.html file always exists, so a request to /, would never lead to 403/404)

Update:

If I disable SNI in openssl s_client, apache works without the Host: header.

Why does it need the Host: header when SNI is on?

http ssl host-headers

2 Answers

  1. Best Answer

    A HTTP/1.0 request does not need a Host according to the standard, but this header is still usually needed in practice to decide on multi-domain setups which content to serve. But if this header is not present and it is still clear which content to serve, than this content can be served without requiring the header. Note that this has nothing to do with TLS and with the use of SNI.

    • 18

  2. To answer the part of the question added in an update,

    Why does it need the Host: header when SNI is on?

    "Need" is a strong word but it helps to understand that SNI and HTTP headers operate at two different layers and accordingly serve two different purposes.

    SNI is primarily used to determine which certificate to give the client. In a setup with multiple virtual hosts, before the payload is decrypted, the server has to present a certificate to the client. Since the certificate contains the name of the site, traditionally in the common name of the certificate subject, but lately in the X.509 extension subject alternative names, presenting the wrong certificate would cause the client to reject the connection before even sending the HTTP request to the server.

    Whereas, the Host header is primarily used to determine which resource to serve. In well behaved clients this is redundant with the name in SNI but HTTP/1.1 was developed around the same time as SSL 3.0 and thus well before the TLS-SNI extension even existed. In fact, it was the combination of HTTP/1.1 and SSL/TLS where the need for SNI was discovered in the first place.

    It may be worth noting that HTTP/2 does not require the Host header but has a functional equivalent in the form of the :authority pseudo-header. Though the information in that header will still be redundant with TLS-SNI in most cases, it simplifies the implementation to always include it.

    Always including the Host (or :authority) header also leaves open the possibility of barebones SSL termination (though in practice there is very little support for HTTP/2 without TLS). However, not validating that the host/authority matches the name in TLS-SNI could open up a security hole in some setups.

    • 6