HTTP/1.1 Request Returns 200 with empty Host header

[hQian2718]

Description

When sending an HTTP/1.1 request with an explicitly empty Host header, Caddy returns 200 OK and serves content, whereas the HTTP/1.1 specification requires a 400 Bad Request response for invalid Host header values.

I'm using the docker image with Caddy version 2.10.2.

Steps to Reproduce

Caddyfile

:80 {
root * /usr/share/caddy
file_server browse
}

The following raw HTTP/1.1 request for a static file returns 200.

printf "GET /index.html HTTP/1.1\r\nHost: \r\nConnection: close\r\n\r\n" | nc localhost 8083

Expected behavior

The HTTP/1.1 RFC states that a server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that contains a Host header field with an invalid field value.

An empty string is not a valid value for the Host header per the URI RFC.

Notes

I checked the caddy documentation on the host matcher. Is the intention that users who want strict RFC compliance filter for valid host header values? I’m wondering if this issue may be intentional leniency, but it appears to be non-compliant with the HTTP/1.1 spec.

Assistance Disclosure

AI used

If AI was used, describe the extent to which it was used.

Test request generated by agent that parses RFC for validity constraints. Analysis and writing by human.

[mholt]

Yeah, I guess we should conform with the spec. Thanks for bringing that to my attention!