Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Super pedantic but you don't need to send the Host header either to get a response.

I use the telnet trick often as debug step number one.



OP is correct. HTTP/1.1 requires the Host header (1). The client must send it, and the server must reject requests without it. Some implementations simply don't follow the standard. For example, you can test this on twitter.com, which appears to be correctly following the specification.

(1) https://www.rfc-editor.org/rfc/rfc7230#section-5.4


OP is only correct if using HTTP/1.1 and not 1.0 or 0.9.

I’ve done plenty of telnets using 1.0 without the need for the host header. Just depends on if the server is a dedicated server or running a bunch of hosts (and the default host isn’t the one you want).


  Connected to motherfuckingwebsite.com.

  Escape character is '^]'.

  GET / HTTP/1.0

  HTTP/1.0 200 OK


My apologies I was being way too pedantic. You're obviously right about the standard and that some implementations do not follow the standard. I'll even admit complete defeat since I must have skipped over this part, "this server accepts." I was really just objecting to the phrasing of "bare minimum" largely because I'd encountered implementations that do not match specification. But also, the part, "for me to request the website from it" does not quite match the language of the rfc. Therefore, my argument has been reduced to "screaming into the void" is a way to request the website from a server.


> That’s the bare minimum that this server accepts in order for me to request the website from it.

The example shown returns a 400 for me without a Host header.


Exactly. Without a Host header, 400. With a Host header, 301 to https.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: