Reputation: 13188
Defined behavior for explicit default port in HTTPS Host: header?
In HTTPS, should a server act differently if the default port is/is-not provided in the Host header? That is, in HTTPS, consider these two headers as part of a request:
Host: www.example.com
Host: www.example.com:443
As far as I know, the HTTP spec says port must be included unless it is the default port. However, it does not mention, as far as I can tell, what to do if the default port is explicitly included (since it need not be). I can't seem to find anything for HTTPS, which is what I'm curious about in this case.
Similar to this question, which deals with HTTP and asks whether the port is required.
For context, I am working with the Mechanize Python module and when dealing with some 302 redirects through a login service, end up sending a Host: header with the default port (i.e, 443) included. However, the server receiving this header doesn't seem to like it, and only acts properly when the port is not included. I am trying to determine whether this is a bug in the server, or mechanize, or neither. I think it's the former, but I only have the ability to change the way mechanize works.
Upvotes: 4
Views: 1589
Answers (2)
Reputation: 19228
That server that "doesn't seem to like it", simple doesn't seem to like the definition of the Host header as set forth in the HTTP spec, which says that you may specify a port number - or omit it, in case it's the default value. However, nowhere does the specification say that you must not specify it in the default case. Btw, unless that server does not allow you to specify ports at all, even non-default ports, it would seem to cost extra work on the part of the programmer to make it "not like it".
In other words: It's a bug in that server. Which of course doesn't prevent you from working around it by stripping off the port number if it's the default.
Upvotes: 3
Reputation: 18507
As you said, RFC 2616 only specifies that if port information is not provided then the default port must be used, in this RFC default port for HTTPS is not explicit defined but in RFC 2818 specifies that the default port for HTTPS is 443. So if you no specify a port on host request header for HTTP port 80 is used and for HTTPS port 443 is used. However in the RFC there isn't any reference if default port is specified, so IMHO if you specify the default port (although it is not necessary) the server must works. However this finally depends on vendor implementation.
Hope this helps,
Upvotes: 5
Related Questions
- Should the HTTP/2 `:authority` header include port number?
- How do my browser knows it needs to connect to port 443 or port 80?
- Why do we need port number in HOST header of HTTP when we have port number in TCP packet?
- Is Port Number Required in HTTP "Host" Header Parameter?
- Automatically get the default port for request
- How to force "host" header included in the browser http request
- Apache configuration: effect of explicit :80 in http header field (host)
- Are HTTP and HTTPS default port numbers defined in the JDK?
- Haproxy Appending Port to `HTTP_HOST` Header in Backend Request
- Is there a alternative default port number for https (443) which is above 1024?