Title: HTTP_HOST
Last modified: August 21, 2016

---

# HTTP_HOST

 *  Resolved [Abdussamad Abdurrazzaq](https://wordpress.org/support/users/abdussamad/)
 * (@abdussamad)
 * [12 years, 1 month ago](https://wordpress.org/support/topic/http_host/)
 * The call to openlog uses HTTP_HOST as part of the ident. HTTP_HOST can be modified
   by the client and that might be a security risk. Wouldn’t it be better to use
   the wordpress function site_url() instead?
 * [https://wordpress.org/plugins/wp-fail2ban/](https://wordpress.org/plugins/wp-fail2ban/)

Viewing 1 replies (of 1 total)

 *  Plugin Author [invisnet](https://wordpress.org/support/users/invisnet/)
 * (@invisnet)
 * [11 years, 10 months ago](https://wordpress.org/support/topic/http_host/#post-4871230)
 * The Host header is defined in section 14.23 of RFC 2616 as:
 * > `Host = "Host" ":" host [ ":" port ] ; Section 3.2.2`
 * Section 3.2.2 of RFC 2396 defines `host` as:
 * > `hostport = host [ ":" port ]`
   >  `host = hostname | IPv4address` `hostname =*(
   > domainlabel "." ) toplabel [ "." ]` `domainlabel = alphanum | alphanum *( alphanum
   > | "-" ) alphanum` `toplabel = alpha | alpha *( alphanum | "-" ) alphanum`
 * In other words, if `$_SERVER['HTTP_HOST']` ever contains something other than
   a valid hostname there’s a bug in the web server.
 * So, while it’s true that the client can change the Host header to whatever they
   want, typically it must match the name of a virtual server, and even in a brain-
   dead catch-all configuration the web server should reject invalid hostnames.
 * tl;dr: no, it’s not a security risk.

Viewing 1 replies (of 1 total)

The topic ‘HTTP_HOST’ is closed to new replies.

 * ![](https://ps.w.org/wp-fail2ban/assets/icon-256x256.png?rev=2814701)
 * [WP fail2ban - Advanced Security](https://wordpress.org/plugins/wp-fail2ban/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-fail2ban/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-fail2ban/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-fail2ban/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-fail2ban/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-fail2ban/reviews/)

 * 1 reply
 * 2 participants
 * Last reply from: [invisnet](https://wordpress.org/support/users/invisnet/)
 * Last activity: [11 years, 10 months ago](https://wordpress.org/support/topic/http_host/#post-4871230)
 * Status: resolved