Host

Virtual hosting requires knowing which domain a client intended to reach. The HTTP Host request header provides this by specifying the host and port number of the target server. The header is required in all HTTP/1.1 requests.

Usage

Every HTTP/1.1 request includes a Host header. The header enables virtual hosting, where a single server with one IP address hosts multiple domains. Without Host, the server has no way to determine which domain the client intended to reach.

The value contains the requested hostname and an optional port number separated by a colon. When no port is specified, the default port for the scheme applies: port 80 for HTTP and port 443 for HTTPS.

A server receiving an HTTP/1.1 request without a Host header responds with 400 Bad Request. The same response applies when a request contains more than one Host header, as the ambiguity prevents the server from selecting the correct virtual host.

In HTTP/2 and HTTP/3, the :authority pseudo-header field replaces Host. Clients sending HTTP/2 or HTTP/3 requests place the host information in :authority instead. When a gateway converts an HTTP/2 request to HTTP/1.1, the gateway generates the Host header from the :authority value.

The Host header differs from the Origin header. Host identifies the target server for every request. Origin identifies the source of a cross-origin request and appears only in specific contexts such as CORS preflight requests and form submissions.

Directives

host

The domain name or IP address of the target server.

port

An optional TCP port number. When omitted, the default port for the request scheme is assumed (80 for HTTP, 443 for HTTPS).

Host: <host>:<port>

Example

A standard HTTPS request to a web server omits the port because 443 is the default for HTTPS.

GET /articles/http-headers HTTP/1.1
Host: example.re

When a server runs on a non-standard port, the port number is included after the hostname.

GET /api/status HTTP/1.1
Host: api.example.re:8443

A request to an IP address includes the address directly. This form is common in development environments and internal services.

GET /health HTTP/1.1
Host: 192.168.1.100:3000

Security

Host header injection occurs when applications use the Host value to generate URLs (password reset links, canonical URLs, redirects) without validating the value first. An attacker sends a request with a forged Host value, causing the application to produce links pointing to a domain the attacker controls.

Validate the Host header against a whitelist of expected values. In nginx, define server_name with a default catch-all server block returning 444. In Django, set ALLOWED_HOSTS to the list of permitted domains. In Rails, configure host_authorization in the application environment. Browsers treat Host as a forbidden request header, preventing client-side JavaScript from modifying the value, but server-to-server requests and tools like curl face no such restriction.

See also

• RFC 9110: HTTP Semantics
• Origin
• 400
• HTTP/1.1
• HTTP/2
• HTTP headers