general

Host

Identifies the target host and optional port of the request, so a single IP can serve many virtual hosts. Missing Host in an HTTP/1.1 request MUST yield 400 Bad Request.

Host: <host>[:<port>]  (mandatory in HTTP/1.1 requests)

Common directives / values

Directive Purpose
example.com Default port implied by scheme (80 for http, 443 for https).
example.com:8443 Explicit non-default port.
IDN in punycode Internationalized hostnames must be encoded as xn--... in this header.
:authority (HTTP/2/3) Replaces Host in HTTP/2/3; libraries usually mirror one to the other.

Examples

GET / HTTP/1.1\nHost: example.com

Minimal valid HTTP/1.1 request.

GET / HTTP/1.1\nHost: api.example.com:8443

Explicit non-default port for a virtual host.

Host: xn--bcher-kva.example.com

IDN 'bücher.example.com' encoded as punycode. All non-ASCII hostnames are encoded this way on the wire.

curl --resolve example.com:443:1.2.3.4 https://example.com/

Force curl to send Host: example.com but connect to a specific IP.

Gotcha

Host header injection ('Host: attacker.com') plus a naive reverse proxy can rewrite links and reset-password URLs to the attacker's domain — validate Host against an allow-list. In HTTP/2/3 the field is :authority; middleware must reconcile both.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors