20

I have a reverse proxy server, which redirects you to different services depending on the Host header. However when making requests to this server using a browser, the Host is always set to the domain name in the URL. I tried:

fetch("http://foo.com", {"headers":{"Host":"bar.foo.com"}})

But it doesn't work

sideshowbarker
  • 72,859
  • 23
  • 167
  • 174
hgiesel
  • 5,081
  • 2
  • 26
  • 52

2 Answers2

28

Host is one of the forbidden header names:

A forbidden header name is an HTTP header name that cannot be modified programmatically.

robertklep
  • 185,685
  • 31
  • 370
  • 359
  • So should I use X-Forwarded-Host to let my reverse proxy server redirect client requests to different services? – Qiulang Dec 19 '18 at 07:28
  • 1
    @Qiulang `X-Forwarded-Host` is typically set _by_ the proxy to indicate to the server handling the request what the `Host` header of the request was. I'm not sure if reverse proxies will forward it as-is, you'd have to try and see if it does. – robertklep Dec 19 '18 at 07:33
  • I wonder how it is enforced on the deeper level. After all, all it takes is just changing a string in the HTTP-message. – m_ocean Apr 27 '22 at 06:37
2

It won't work. You cannot set the forbidden Headers on making the requests through browsers.

You can get the list of forbidden headers here - https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name

Similar answers here:
Ajax request: Refused to set unsafe header
Not able to set HTTP Host header on $.ajax request

Anurag
  • 146
  • 1
  • 13