Recipe 12.6 Handling Missing Host: Header Fields

Problem

You want to treat differently all requests that are made without a Host: request header field.

Solution

SetEnvIf Host "^$" no_host=1
Order Allow,Deny
Allow from all
Deny from env=no_host
RewriteCond "%{HTTP_HOST}" "^$"
RewriteRule ".*"           -     [F,L]

Discussion

The Host: request header field is essential to correct handling of name-based virtual hosts (see Recipe 4.1). If the client doesn't include it, the chances are very good that the request will be directed to the wrong virtual host. All modern browsers automatically include this field, so only custom-written or very old clients are likely to encounter this issue.

The solutions given will cause such requests to be rejected with a 403 Forbidden status; the exact text of the error page can be tailored with an ErrorDocument 403 directive.

The first solution is slightly more efficient.

See Also

• Recipe 4.1