Description
- Version: v16.3.0
- Platform: Microsoft Windows NT 10.0.19042.0 x64
- Subsystem: http
What steps will reproduce the bug?
This is a bug in the http module. If this is the wrong place to report this, please direct me to the right place.
The following code sets up a simple hello world node server. It listens to port 8080:
const http = require('http');
http.createServer((request, response) => {
response.end('<html><body><h1>Hello, World!</h1></body></html>');
}).listen(8080);If we send the following request with the command below (using echo and nc):
GET / HTTP/1.1
Connection: close
echo -ne "GET / HTTP/1.1\r\nConnection: close\r\n\r\n" | nc localhost 8080We get the following response:
HTTP/1.1 200 OK
Date: Mon, 14 Jun 2021 16:23:18 GMT
Connection: close
Content-Length: 48
<html><body><h1>Hello, World!</h1></body></html>
How often does it reproduce? Is there a required condition?
It happens all the time.
What is the expected behavior?
The expected behavior is for node to answer with a 400 Bad Request response.
What do you see instead?
It answers with a 200 OK response.
Additional information
According to RFC 7230 a request containing no Host header should respond with a 400 (Bad Request).
"A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request message that lacks a Host header field [...]" - https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
(Found by Asta Olofsson and Mattias Grenfeldt)