4

In HTTPS, should a server act differently if the default port is/is-not provided in the Host header? That is, in HTTPS, consider these two headers as part of a request:

Host: www.example.com

Host: www.example.com:443

As far as I know, the HTTP spec says port must be included unless it is the default port. However, it does not mention, as far as I can tell, what to do if the default port is explicitly included (since it need not be). I can't seem to find anything for HTTPS, which is what I'm curious about in this case.

Similar to this question, which deals with HTTP and asks whether the port is required.

For context, I am working with the Mechanize Python module and when dealing with some 302 redirects through a login service, end up sending a Host: header with the default port (i.e, 443) included. However, the server receiving this header doesn't seem to like it, and only acts properly when the port is not included. I am trying to determine whether this is a bug in the server, or mechanize, or neither. I think it's the former, but I only have the ability to change the way mechanize works.

Community
  • 1
  • 1
Joseph
  • 12,678
  • 19
  • 76
  • 115

2 Answers2

5

As you said, RFC 2616 only specifies that if port information is not provided then the default port must be used, in this RFC default port for HTTPS is not explicit defined but in RFC 2818 specifies that the default port for HTTPS is 443. So if you no specify a port on host request header for HTTP port 80 is used and for HTTPS port 443 is used. However in the RFC there isn't any reference if default port is specified, so IMHO if you specify the default port (although it is not necessary) the server must works. However this finally depends on vendor implementation.

Hope this helps,

Community
  • 1
  • 1
albciff
  • 18,112
  • 4
  • 64
  • 89
3

That server that "doesn't seem to like it", simple doesn't seem to like the definition of the Host header as set forth in the HTTP spec, which says that you may specify a port number - or omit it, in case it's the default value. However, nowhere does the specification say that you must not specify it in the default case. Btw, unless that server does not allow you to specify ports at all, even non-default ports, it would seem to cost extra work on the part of the programmer to make it "not like it".

In other words: It's a bug in that server. Which of course doesn't prevent you from working around it by stripping off the port number if it's the default.

Evgeniy Berezovsky
  • 18,571
  • 13
  • 82
  • 156