KestrelServerOptions.AllowHostHeaderOverride Property

Definition

In HTTP/1.x, when a request target is in absolute-form (see RFC 9112 Section 3.2.2), for example

GET http://www.example.com/path/to/index.html HTTP/1.1

the Host header is redundant. In fact, the RFC says

When an origin server receives a request with an absolute-form of request-target, the origin server MUST ignore the received Host header field (if any) and instead use the host information of the request-target.

However, it is still sensible to check whether the request target and Host header match because a mismatch might indicate, for example, a spoofing attempt. Setting this property to true bypasses that check and unconditionally overwrites the Host header with the value from the request target.

public bool AllowHostHeaderOverride { get; set; }
member this.AllowHostHeaderOverride : bool with get, set
Public Property AllowHostHeaderOverride As Boolean

Property Value

Remarks

This option does not apply to HTTP/2 or HTTP/3.

Applies to