Skip to content

HTTP/2: validate Host vs :authority#622

Merged
arturobernalg merged 1 commit intoapache:masterfrom
arturobernalg:hostVsAuthority
Feb 17, 2026
Merged

HTTP/2: validate Host vs :authority#622
arturobernalg merged 1 commit intoapache:masterfrom
arturobernalg:hostVsAuthority

Conversation

@arturobernalg
Copy link
Member

@arturobernalg arturobernalg commented Feb 16, 2026

Clients MUST NOT generate a request with a Host header field that differs from the ":authority" pseudo-header field.”

“A server SHOULD treat a request as malformed if it contains a Host header field … that differs … from the … ":authority" pseudo-header field

https://datatracker.ietf.org/doc/html/rfc9113#name-request-pseudo-header-field

@arturobernalg arturobernalg requested a review from ok2c February 16, 2026 15:40
ok2c
ok2c reviewed Feb 16, 2026
View reviewed changes
httpcore5-h2/src/main/java/org/apache/hc/core5/http2/protocol/H2RequestValidateHost.java Outdated
return;
}

final URIAuthority hostAuthority;
Copy link
Member

@ok2c ok2c Feb 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

“A server SHOULD treat a request as malformed if it contains a Host header field … that differs … from the … ":authority" pseudo-header field"

@arturobernalg I read this if "differs at all". I would just do a text comparison without parsing the values.

@arturobernalg arturobernalg requested a review from ok2c February 16, 2026 18:19
@arturobernalg arturobernalg merged commit 34f2dbb into apache:master Feb 17, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ok2c ok2c ok2c approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arturobernalg @ok2c