24

I have a reverse proxy server, which redirects you to different services depending on the Host header. However when making requests to this server using a browser, the Host is always set to the domain name in the URL. I tried:

fetch("http://foo.com", {"headers":{"Host":"bar.foo.com"}})

But it doesn't work

0

2 Answers 2

Reset to default
37

Host is one of the forbidden header names:

A forbidden header name is an HTTP header name that cannot be modified programmatically.

5
  • So should I use X-Forwarded-Host to let my reverse proxy server redirect client requests to different services?
    – Qiulang
    Commented Dec 19, 2018 at 7:28
  • 2
    @Qiulang X-Forwarded-Host is typically set by the proxy to indicate to the server handling the request what the Host header of the request was. I'm not sure if reverse proxies will forward it as-is, you'd have to try and see if it does.
    – robertklep
    Commented Dec 19, 2018 at 7:33
  • I wonder how it is enforced on the deeper level. After all, all it takes is just changing a string in the HTTP-message.
    – m_ocean
    Commented Apr 27, 2022 at 6:37
  • 1
    My understanding is that it is just enforced by the browser (I'm not sure about NodeJs). You can send any kind of HTTP request by other means.
    – Mahmood Dehghan
    Commented Mar 1, 2023 at 16:11
  • @MahmoodDehghan you're right, it's enforced by the browser. JS runtimes like Node.js don't adhere to such rules because they aren't browsers and don't have to worry about things like XSS and other types of abuse.
    – robertklep
    Commented Mar 1, 2023 at 19:11
3

It won't work. You cannot set the forbidden Headers on making the requests through browsers.

You can get the list of forbidden headers here - https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name

Similar answers here:
Ajax request: Refused to set unsafe header
Not able to set HTTP Host header on $.ajax request

Not the answer you're looking for? Browse other questions tagged or ask your own question.