Should the HTTP/2 `:authority` header include port number?

Question

Following on from Is Port Number Required in HTTP "Host" Header Parameter?, does the same logic apply to HTTP/2?

i.e. if a browser makes a request to https://server.com:1234/, should the :authority header be server.com or server.com:1234?

score 9 · Accepted Answer · edited Oct 07 '21 at 08:14

It should, :authority is defined by RFC 7540 (https://www.rfc-editor.org/rfc/rfc7540#section-8.1.2.3) as a :

pseudo-header field includes the authority portion of the target URI ([RFC3986], Section 3.2). The authority MUST NOT include the deprecated "userinfo" subcomponent for "http" or "https" schemed URIs.

RFC 3986 in turn describes authority as:

  authority   = [ userinfo "@" ] host [ ":" port ]

So yes, it should include the port, if the port isn't the default for the scheme.

Should the HTTP/2 `:authority` header include port number?

1 Answers1