HTTP requests with no Host header accepted

[asta12]

• Version: v16.3.0
• Platform: Microsoft Windows NT 10.0.19042.0 x64
• Subsystem: http

What steps will reproduce the bug?

This is a bug in the http module. If this is the wrong place to report this, please direct me to the right place.

The following code sets up a simple hello world node server. It listens to port 8080:

const http = require('http');

http.createServer((request, response) => {
  response.end('<html><body><h1>Hello, World!</h1></body></html>');
}).listen(8080);

If we send the following request with the command below (using echo and nc):

GET / HTTP/1.1
Connection: close

echo -ne "GET / HTTP/1.1\r\nConnection: close\r\n\r\n" | nc localhost 8080

We get the following response:

HTTP/1.1 200 OK
Date: Mon, 14 Jun 2021 16:23:18 GMT
Connection: close
Content-Length: 48

<html><body><h1>Hello, World!</h1></body></html>

How often does it reproduce? Is there a required condition?

It happens all the time.

What is the expected behavior?

The expected behavior is for node to answer with a 400 Bad Request response.

What do you see instead?

It answers with a 200 OK response.

Additional information

According to RFC 7230 a request containing no Host header should respond with a 400 (Bad Request).

"A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field [...]" - https://datatracker.ietf.org/doc/html/rfc7230#section-5.4

(Found by Asta Olofsson and Mattias Grenfeldt)

[Linkgoron]

This was actually raised a few years ago, here #3094

[asta12]

I read the issue. The discussion in the thread seemed to lean towards adding a check for the Host header, but then it was closed and the there is no check for the Host header as of today. What happened? What is the view of the nodejs team today regarding this?

[awwright]

I was just hit by this (an application suddenly stopped handling errors correctly) and I don't think this should have been merged.

The 'http' module is not a complete implementation of HTTP, but merely of the HTTP/1.1 framing, and this rule is not one of those framing rules.

Fully implementing the framing rules means is possible to receive a message, pass it, and the beginning of the next message will never be ambiguous, or misinterpreted by another (compliant) parser.

There's many, many requirements in HTTP, for example that "An origin server MUST generate an Allow header field in a 405 (Method Not Allowed) response". Unless Node.js is going to start enforcing all of these, then the HTTP parser should limit itself to enforcing the message framing rules. (#34066 is such a requirement.)

[marco-ippolito]

you can pass the option requireHostHeader: false in HttpServer to disable this behavior.