Skip to content

net/http: HTTP/1.1 requests without Host header should be rejected  #13624

New issue
New issue
Closed
Closed
net/http: HTTP/1.1 requests without Host header should be rejected #13624
Labels
FrozenDueToAge
Milestone
 
Go1.6
@CAFxX

Description

@CAFxX
CAFxX
opened on Dec 15, 2015

HTTP/1.1 mandates (both in RFC2616 and RFC7230) that requests lacking a Host header should unconditionally receive a 400 Bad Request response.

https://tools.ietf.org/html/rfc2616#section-14.23
All Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request)
status code to any HTTP/1.1 request message which lacks a Host header
field.

https://tools.ietf.org/html/rfc7230#section-5.4
A server MUST respond with a 400 (Bad Request) status code to any
HTTP/1.1 request message that lacks a Host header field and to any
request message that contains more than one Host header field or a
Host header field with an invalid field-value.

Right now Go happily accepts such requests without returning 400: as such it's non-conforming to the RFCs.

Activity

bradfitz
changed the title [-]HTTP/1.1 requests without Host header should be rejected [/-] [+]net/http: HTTP/1.1 requests without Host header should be rejected [/+] on Dec 15, 2015
bradfitz
self-assigned this
on Dec 15, 2015
bradfitz

bradfitz commented on Dec 15, 2015

@bradfitz
bradfitz
on Dec 15, 2015
Contributor

I noticed this too recently in the process of working on #11206

bradfitz
added this to the Go1.6 milestone on Dec 15, 2015
gopherbot

gopherbot commented on Dec 16, 2015

@gopherbot
gopherbot
on Dec 16, 2015
Contributor

CL https://golang.org/cl/17892 mentions this issue.

bradfitz
closed this as completedin 6e11f45on Dec 16, 2015
calavera
mentioned this on Mar 23, 2016
Random-Liu
mentioned this in 2 issues on Apr 4, 2016
bradfitz
mentioned this in 2 issues on Apr 14, 2016
lrusak
mentioned this on May 12, 2016
Confusion
mentioned this on Jul 8, 2016
cgcgbcbc

cgcgbcbc commented on Jul 14, 2016

@cgcgbcbc
cgcgbcbc
on Jul 14, 2016

How to accept http 1.0 request then?

bradfitz

bradfitz commented on Jul 14, 2016

@bradfitz
bradfitz
on Jul 14, 2016
Contributor

@cgcgbcbc, HTTP/1.0 requests don't require Host headers. This bug only applies to HTTP/1.1 requests.

golang
locked and limited conversation to collaborators on Jul 14, 2017
gopherbot
added
FrozenDueToAge
on Jul 14, 2017
rsc
unassigned
bradfitz
on Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAge

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @bradfitz@CAFxX@cgcgbcbc@gopherbot

        Issue actions
          net/http: HTTP/1.1 requests without Host header should be rejected · Issue #13624 · golang/go