SSL – Is the Host Header Required Over SSL?

host-headershttpssl

Is the Host: header required over SSL even if the request is not HTTP/1.1?

So, if a client connects over SSL, and sends the following request:

GET / HTTP/1.0

Should the web server throw a bad request due to the missing Host: header?
Should the web server respond with an HTTP/1.0 200 OK response?
(the index.html file always exists, so a request to /, would never lead to 403/404)

Update:

If I disable SNI in openssl s_client, apache works without the Host: header.

Why does it need the Host: header when SNI is on?

Best Answer

A HTTP/1.0 request does not need a Host according to the standard, but this header is still usually needed in practice to decide on multi-domain setups which content to serve. But if this header is not present and it is still clear which content to serve, than this content can be served without requiring the header. Note that this has nothing to do with TLS and with the use of SNI.

Update:

Best Answer

Related Solutions

How to configure Squid to send back a HTTP 1.1 response for a HTTP 1.1 request

Ssl – HTTP header for SSL

Related Topic