nodejs
diff --git a/‎doc/api/http.md
Lines changed: 4 additions & 0 deletions b/‎doc/api/http.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎lib/_http_server.js
Lines changed: 19 additions & 1 deletion b/‎lib/_http_server.js
Lines changed: 19 additions & 1 deletion
diff --git a/‎lib/http.js
Lines changed: 1 addition & 0 deletions b/‎lib/http.js
Lines changed: 1 addition & 0 deletions
diff --git a/‎test/parallel/test-http-chunked-304.js
Lines changed: 1 addition & 1 deletion b/‎test/parallel/test-http-chunked-304.js
Lines changed: 1 addition & 1 deletion
diff --git a/‎test/parallel/test-http-client-headers-array.js
Lines changed: 13 additions & 4 deletions b/‎test/parallel/test-http-client-headers-array.js
Lines changed: 13 additions & 4 deletions
diff --git a/‎test/parallel/test-http-content-length.js
Lines changed: 3 additions & 3 deletions b/‎test/parallel/test-http-content-length.js
Lines changed: 3 additions & 3 deletions
diff --git a/‎test/parallel/test-http-header-badrequest.js
Lines changed: 1 addition & 1 deletion b/‎test/parallel/test-http-header-badrequest.js
Lines changed: 1 addition & 1 deletion
diff --git a/‎test/parallel/test-http-insecure-parser-per-stream.js
Lines changed: 4 additions & 0 deletions b/‎test/parallel/test-http-insecure-parser-per-stream.js
Lines changed: 4 additions & 0 deletions
diff --git a/‎test/parallel/test-http-insecure-parser.js
Lines changed: 1 addition & 0 deletions b/‎test/parallel/test-http-insecure-parser.js
Lines changed: 1 addition & 0 deletions
diff --git a/‎test/parallel/test-http-keep-alive-drop-requests.js
Lines changed: 1 addition & 0 deletions b/‎test/parallel/test-http-keep-alive-drop-requests.js
Lines changed: 1 addition & 0 deletions
@@ -3185,6 +3185,10 @@ changes:
   * `uniqueHeaders` {Array} A list of response headers that should be sent only
     once. If the header's value is an array, the items will be joined
     using `; `.
+  * `requireHostHeader` {boolean} It forces the server to respond with
+    a 400 (Bad Request) status code to any HTTP/1.1 request message
+    that lacks a Host header (as mandated by the specification).
+    **Default:** `true`.
 
 * `requestListener` {Function}
 
 
@@ -473,6 +473,14 @@ function storeHTTPOptions(options) {
   } else {
     this.connectionsCheckingInterval = 30_000; // 30 seconds
   }
+
+  const requireHostHeader = options.requireHostHeader;
+  if (requireHostHeader !== undefined) {
+    validateBoolean(requireHostHeader, 'options.requireHostHeader');
+    this.requireHostHeader = requireHostHeader;
+  } else {
+    this.requireHostHeader = true;
+  }
 }
 
 function setupConnectionsTracking(server) {
@@ -1022,7 +1030,18 @@ function parserOnIncoming(server, socket, state, req, keepAlive) {
 
   let handled = false;
 
+
   if (req.httpVersionMajor === 1 && req.httpVersionMinor === 1) {
+
+    // From RFC 7230 5.4 https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
+    // A server MUST respond with a 400 (Bad Request) status code to any
+    // HTTP/1.1 request message that lacks a Host header field
+    if (server.requireHostHeader && req.headers.host === undefined) {
+      res.writeHead(400, ['Connection', 'close']);
+      res.end();
+      return 0;
+    }
+
     const isRequestsLimitSet = (
       typeof server.maxRequestsPerSocket === 'number' &&
       server.maxRequestsPerSocket > 0
@@ -1045,7 +1064,6 @@ function parserOnIncoming(server, socket, state, req, keepAlive) {
 
       if (RegExpPrototypeExec(continueExpression, req.headers.expect) !== null) {
         res._expect_continue = true;
-
         if (server.listenerCount('checkContinue') > 0) {
           server.emit('checkContinue', req, res);
         } else {
 
@@ -52,6 +52,7 @@ let maxHeaderSize;
  *   ServerResponse?: ServerResponse;
  *   insecureHTTPParser?: boolean;
  *   maxHeaderSize?: number;
+ *   requireHostHeader?: boolean
  *   }} [opts]
  * @param {Function} [requestListener]
  * @returns {Server}
 
@@ -47,7 +47,7 @@ function test(statusCode) {
     const conn = net.createConnection(
       server.address().port,
       common.mustCall(() => {
-        conn.write('GET / HTTP/1.1\r\n\r\n');
+        conn.write('GET / HTTP/1.1\r\nHost: example.com\r\n\r\n');
 
         let resp = '';
         conn.setEncoding('utf8');
 
@@ -10,7 +10,8 @@ function execute(options) {
     const expectHeaders = {
       'x-foo': 'boom',
       'cookie': 'a=1; b=2; c=3',
-      'connection': 'keep-alive'
+      'connection': 'keep-alive',
+      'host': 'example.com',
     };
 
     // no Host header when you set headers an array
@@ -43,13 +44,20 @@ function execute(options) {
 // Should be the same except for implicit Host header on the first two
 execute({ headers: { 'x-foo': 'boom', 'cookie': 'a=1; b=2; c=3' } });
 execute({ headers: { 'x-foo': 'boom', 'cookie': [ 'a=1', 'b=2', 'c=3' ] } });
-execute({ headers: [[ 'x-foo', 'boom' ], [ 'cookie', 'a=1; b=2; c=3' ]] });
 execute({ headers: [
-  [ 'x-foo', 'boom' ], [ 'cookie', [ 'a=1', 'b=2', 'c=3' ]],
+  [ 'x-foo', 'boom' ],
+  [ 'cookie', 'a=1; b=2; c=3' ],
+  [ 'Host', 'example.com' ],
+] });
+execute({ headers: [
+  [ 'x-foo', 'boom' ],
+  [ 'cookie', [ 'a=1', 'b=2', 'c=3' ]],
+  [ 'Host', 'example.com' ],
 ] });
 execute({ headers: [
   [ 'x-foo', 'boom' ], [ 'cookie', 'a=1' ],
-  [ 'cookie', 'b=2' ], [ 'cookie', 'c=3'],
+  [ 'cookie', 'b=2' ], [ 'cookie', 'c=3' ],
+  [ 'Host', 'example.com'],
 ] });
 
 // Authorization and Host header both missing from the second
@@ -58,4 +66,5 @@ execute({ auth: 'foo:bar', headers:
 execute({ auth: 'foo:bar', headers: [
   [ 'x-foo', 'boom' ], [ 'cookie', 'a=1' ],
   [ 'cookie', 'b=2' ], [ 'cookie', 'c=3'],
+  [ 'Host', 'example.com'],
 ] });
@@ -28,15 +28,18 @@ const server = http.createServer(function(req, res) {
 
   switch (req.url.substr(1)) {
     case 'multiple-writes':
+      delete req.headers.host;
       assert.deepStrictEqual(req.headers, expectedHeadersMultipleWrites);
       res.write('hello');
       res.end('world');
       break;
     case 'end-with-data':
+      delete req.headers.host;
       assert.deepStrictEqual(req.headers, expectedHeadersEndWithData);
       res.end('hello world');
       break;
     case 'empty':
+      delete req.headers.host;
       assert.deepStrictEqual(req.headers, expectedHeadersEndNoData);
       res.end();
       break;
@@ -56,7 +59,6 @@ server.listen(0, function() {
     path: '/multiple-writes'
   });
   req.removeHeader('Date');
-  req.removeHeader('Host');
   req.write('hello ');
   req.end('world');
   req.on('response', function(res) {
@@ -70,7 +72,6 @@ server.listen(0, function() {
     path: '/end-with-data'
   });
   req.removeHeader('Date');
-  req.removeHeader('Host');
   req.end('hello world');
   req.on('response', function(res) {
     assert.deepStrictEqual(res.headers, { ...expectedHeadersEndWithData, 'keep-alive': 'timeout=1' });
@@ -83,7 +84,6 @@ server.listen(0, function() {
     path: '/empty'
   });
   req.removeHeader('Date');
-  req.removeHeader('Host');
   req.end();
   req.on('response', function(res) {
     assert.deepStrictEqual(res.headers, { ...expectedHeadersEndNoData, 'keep-alive': 'timeout=1' });
 
@@ -17,7 +17,7 @@ server.listen(0, mustCall(() => {
   let received = '';
 
   c.on('connect', mustCall(() => {
-    c.write('GET /blah HTTP/1.1\r\n\r\n');
+    c.write('GET /blah HTTP/1.1\r\nHost: example.com\r\n\r\n');
   }));
   c.on('data', mustCall((data) => {
     received += data.toString();
 
@@ -22,6 +22,7 @@ const MakeDuplexPair = require('../common/duplexpair');
 
   serverSide.resume();  // Dump the request
   serverSide.end('HTTP/1.1 200 OK\r\n' +
+                 'Host: example.com\r\n' +
                  'Hello: foo\x08foo\r\n' +
                  'Content-Length: 0\r\n' +
                  '\r\n\r\n');
@@ -39,6 +40,7 @@ const MakeDuplexPair = require('../common/duplexpair');
 
   serverSide.resume();  // Dump the request
   serverSide.end('HTTP/1.1 200 OK\r\n' +
+                 'Host: example.com\r\n' +
                  'Hello: foo\x08foo\r\n' +
                  'Content-Length: 0\r\n' +
                  '\r\n\r\n');
@@ -62,6 +64,7 @@ const MakeDuplexPair = require('../common/duplexpair');
   server.emit('connection', serverSide);
 
   clientSide.write('GET / HTTP/1.1\r\n' +
+                   'Host: example.com\r\n' +
                    'Hello: foo\x08foo\r\n' +
                    '\r\n\r\n');
 }
@@ -77,6 +80,7 @@ const MakeDuplexPair = require('../common/duplexpair');
   server.emit('connection', serverSide);
 
   clientSide.write('GET / HTTP/1.1\r\n' +
+                   'Host: example.com\r\n' +
                    'Hello: foo\x08foo\r\n' +
                    '\r\n\r\n');
 }
 
@@ -19,6 +19,7 @@ server.listen(0, common.mustCall(function() {
       client.write(
         'GET / HTTP/1.1\r\n' +
         'Content-Type: text/te\x08t\r\n' +
+        'Host: example.com' +
         'Connection: close\r\n\r\n');
     }
   );
 
@@ -8,6 +8,7 @@ const assert = require('assert');
 function request(socket) {
   socket.write('GET / HTTP/1.1\r\n');
   socket.write('Connection: keep-alive\r\n');
+  socket.write('Host: localhost\r\n');
   socket.write('\r\n\r\n');
 }
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ server.listen(0, common.mustCall(function() {`
`19`	`19`	`client.write(`
`20`	`20`	`'GET / HTTP/1.1\r\n' +`
`21`	`21`	`'Content-Type: text/te\x08t\r\n' +`
	`22`	`+ 'Host: example.com' +`
`22`	`23`	`'Connection: close\r\n\r\n');`
`23`	`24`	`}`
`24`	`25`	`);`
Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ const assert = require('assert');`
`8`	`8`	`function request(socket) {`
`9`	`9`	`socket.write('GET / HTTP/1.1\r\n');`
`10`	`10`	`socket.write('Connection: keep-alive\r\n');`
	`11`	`+ socket.write('Host: localhost\r\n');`
`11`	`12`	`socket.write('\r\n\r\n');`
`12`	`13`	`}`
`13`	`14`