Reputation: 45
Usage of 'Host' Header in Web Requests
I am looking at the http-requests in BurpSuite. I see a field named as 'Host'. What is the importance of this field? What happens if I change this field and then send the request? If I change the host header field to some other IP then would the server respond back to this new modified IP?
Upvotes: 2
Views: 13125
Answers (3)
Reputation: 1
@Bhuvesh, If you send a GET or POST request to let's say: host1.com/abc/xyz and modify the host header to host2.com instead of host1.com.
The Request will be sent to Server host1.com
Server host1.com will handle the /abc/xyz and Host header
For nginx, host2.com may be a virtualhost in nginx or a upstream outside.
location /abc/xyz { # nginx let the variable `host` as the Host header proxypass http://$host/abc/xyz #... }
Upvotes: 0
Reputation: 943089
A single web server can host multiple websites with different domains and subdomains.
The Host header allows it to distinguish between them.
Given the limited availability of IPv4 addresses, this is important as there are more websites than available IP addresses.
What happens if I change this field and then send the request?
If the server pays attention to it and recognises the hostname, it will respond with that website (otherwise it may fall back to its default website or throw an error).
For an example, see Name-based Virtual Host Support in the Apache HTTPD manual.
If I change the host header field to some other IP then would the server respond back to this new modified IP?
No. The Host header is the host the client is asking for. It has nothing to do with where the response should be sent.
Upvotes: 6
Reputation: 6186
To quote from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host :
The Host request header specifies the host and port number of the server to which the request is being sent.
If no port is included, the default port for the service requested (e.g., 443 for an HTTPS URL, and 80 for an HTTP URL) is implied.
A Host header field must be sent in all HTTP/1.1 request messages. A 400 (Bad Request) status code may be sent to any HTTP/1.1 request message that lacks a Host header field or that contains more than one.
Upvotes: 2
Related Questions
- What is HTTP "Host" header?
- Real life usage of the X-Forwarded-Host header?
- What should be the value of HOST header in a multi layer infrustructure?
- Missing Host header in HTTP requests from the requests Python library
- Okhttp: how to set Host header in a request?
- How to force "host" header included in the browser http request
- zaproxy - API scan with request header
- Where is the HOST header taken from when relative requests are made?
- Apache host header proxy
- What's the usage for Host header in http?