Is $http_host dangerous?

x7311 nginx-forum at
Sun May 27 21:56:23 UTC 2012

Hi  Francis,
Thanks for the response.

After reading the documentation,

When the HOST is empty, it's responded with 400 as expected. 

I think the argument would come down to whether we trust the value sent
by the user.
In both use of $http_host and $host, I think the 3rd curl command is
trying to send a custom header whose HOST value is user-defined? I
believe that if we compromised the DNS or the network for example, there
is a possible way to hijack the nginx servers by modifying the

Since $host is a strict version of $http_host, and when it's empty it
uses $server_name directive, I believe it's a small bit of extra
security layer.... besides gettin rid off the port number in the

Posted at Nginx Forum:,226866,226882#msg-226882

More information about the nginx mailing list