23

I have a reverse proxy server, which redirects you to different services depending on the Host header. However when making requests to this server using a browser, the Host is always set to the domain name in the URL. I tried:

fetch("http://foo.com", {"headers":{"Host":"bar.foo.com"}})

But it doesn't work

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
hgiesel
  • 5,430
  • 2
  • 29
  • 56

2 Answers2

35

Host is one of the forbidden header names:

A forbidden header name is an HTTP header name that cannot be modified programmatically.

robertklep
  • 198,204
  • 35
  • 394
  • 381
  • So should I use X-Forwarded-Host to let my reverse proxy server redirect client requests to different services? – Qiulang Dec 19 '18 at 07:28
  • 1
    @Qiulang `X-Forwarded-Host` is typically set _by_ the proxy to indicate to the server handling the request what the `Host` header of the request was. I'm not sure if reverse proxies will forward it as-is, you'd have to try and see if it does. – robertklep Dec 19 '18 at 07:33
  • I wonder how it is enforced on the deeper level. After all, all it takes is just changing a string in the HTTP-message. – m_ocean Apr 27 '22 at 06:37
  • 1
    My understanding is that it is just enforced by the browser (I'm not sure about NodeJs). You can send any kind of HTTP request by other means. – Mahmood Dehghan Mar 01 '23 at 16:11
  • @MahmoodDehghan you're right, it's enforced by the browser. JS runtimes like Node.js don't adhere to such rules because they aren't browsers and don't have to worry about things like XSS and other types of abuse. – robertklep Mar 01 '23 at 19:11
3

It won't work. You cannot set the forbidden Headers on making the requests through browsers.

You can get the list of forbidden headers here - https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name

Similar answers here:
Ajax request: Refused to set unsafe header
Not able to set HTTP Host header on $.ajax request

Anurag
  • 353
  • 3
  • 15