: Handling the HTTP Host header with what status code? After finding out that the environment variables HTTP_HOST and HTTP_SERVER return the same values on my server, I made a patch for apache
After finding out that the environment variables HTTP_HOST and HTTP_SERVER return the same values on my server, I made a patch for apache that fixes it, but I'm wondering if I returned the correct output.
Generally when one requests a URL, the first line in the HTTP headers is the requested resource then the second line is host: followed by the domain name requested.
Until now, anyone would have been able to use any hostname for the host header to access my website and thus make some sections of my website incorrect since HTTP_SERVER variable was used throughout with incorrect values.
Right now, if the hostname does not match the actual hostname being requested, I made apache send the user the 400 status code (bad request error).
I then proceeded to test google the same way by issuing a hostname different from google, and they return a 301 redirect page to google.com
My thinking is if I use a 301 redirect page, and some rare legitimate browser out there I'm unaware of is actually creating appending bad data to the host field, then it will cause an endless redirect loop.
My question is then is 400 status code the best to use when the value in the hostname field does not match the domain name requested? or is there a better status code to use in such case?
More posts by @Nickens628
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.