12

According to RFC 2616, which defines HTTP/1.1, the Host: header is mandatory.

A client MUST include a Host header field in all HTTP/1.1 request messages .

But the PHP manual implies that it could be empty:

'HTTP_HOST': Contents of the Host: header from the current request, if there is one.

In which situations could this header, and thus $_SERVER['HTTP_HOST'], be empty? Could my application depend on its being there?

Tim
  • 13,904
  • 10
  • 69
  • 101
  • The `Host:` header is still 'mandatory' as per [HTTPbis](http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-14#appendix-B.1.1), but that doesn't mean it will always be present. Apache handles its absence gracefully (albeit it won't reach any configured vhost). – mario May 14 '11 at 20:40
  • @mario: Are there actual HTTP/1.1 clients in the wild that do not send the `Host:` header? – Tim May 14 '11 at 20:43
  • 2
    I wouldn't consider them real clients, and certainly none of the contemporary browsers and libraries does. But any handicrafted PHP script might. But still, it's mostly a configuration issue, not relevant for Apache vhosts. HTTP_HOST is prescreened by Apache, and I wouldn't worry about it being empty in practice. Unlikely edge case. – mario May 14 '11 at 20:52

2 Answers2

13

It can be empty in HTTP 1.0. If no host header is specified, virtual hosting won't work at all, so the default vhost in your web server will be used.

I just tested this myself; in PHP under Nginx the $_SERVER['HTTP_HOST'] variable got set to the name of the virtual host, which is _ in my case. But that also depends on your fastcgi_params configuration in Nginx.

On shared hosting this is not important since the default vhost will be set to some information page from the hosting company, and so your script will not be run. Could be a good thing to keep in mind for your own server though.

Emil Vikström
  • 90,431
  • 16
  • 141
  • 175
  • What is meant with "HTTP_HOST"? $http_host? – Torsten Bronger Oct 27 '15 at 18:31
  • Good job on digging up an answer from four years ago! :-) I do not remember this problem at all, but since I have worked a lot with PHP I guess I meant the `$_SERVER['HTTP_HOST']` PHP variable, which probably was sent in as an Nginx fastcgi_param. I do not have that configuration file left anymore, but reading [this](http://stackoverflow.com/a/15414811/238978) SO answer I am pretty sure it might have been the `$host` Nginx variable. – Emil Vikström Oct 27 '15 at 19:01
  • Thanks for the answer! Then, just to make it clear because it is a little bit confusing in the answer: nginx doesn't set `$http_host` to the name of the virtual host, instead, it just copies the original HTTP header field "Host" into it. And if this is empty, as is `$http_host`. – Torsten Bronger Oct 27 '15 at 19:23
  • The original question is about PHP only, not even mentioning Nginx. – Emil Vikström Oct 28 '15 at 08:08
  • 1
    Ah sorry! I came here through a Google search and missed the context. – Torsten Bronger Oct 28 '15 at 11:48
6

Crawlers (e.g. google), scrapers or even perfectly legal scripts interfacing with your API may accidentally or ignorantly skip the Host header.

I added this answer because this question came up on google when I looked for the same thing.

Tor Valamo
  • 33,261
  • 11
  • 73
  • 81