Is $http_host dangerous?

Francis Daly francis at
Sun May 27 11:22:52 UTC 2012

On Sat, May 26, 2012 at 07:00:15PM -0400, jwxie wrote:

Hi there,

> I had to replace `$host` with `$http_host` to get my problem
> resolved...
> But is this safe?

"safe" depends on what you do with the arbitrary content provided by
the user. If all you do is "send it straight back to them", then it
probably is safe for you.

> It seems like all `$http_host` is doing is to exposed the whole `HOST`
> from header.


> The explination,213799 here is still
> not clear to me...

If I read that correctly, $http_host is "whatever the client sent in
the Host: header. This may be empty".

$host is "the host part of the request, if any (typically none)", or
else "the host part of the Host: header, converted to lowercase, if any
(typically something)", or else "the first entry in the server_name
array of this server".

> Someone has any idea why would `$http_host` be more dangerous?

If you serve requests from a default server (so the Host: header isn't
constrained by your server_name setting) and you use the $host or
$http_host variable as -- for example -- part of the filesystem path to
serve, then you may be surprised by their differences.

Both $http_host and $host are user-provided data. They are
sanitised differently. They are inherently safe. What you do with
them may be dangerous, or may just be inconvenient. What do you
see from 
  curl -i http://localhost:1111/forum

  curl -i -H 'Host:' http://localhost:1111/forum


  curl -i -H 'Host:' http://localhost:1111/forum

? Does any difference matter?

Francis Daly        francis at

More information about the nginx mailing list