|
|
|
|
|
|
by qjz
5758 days ago
|
|
|
It's not even necessary to check the HOST header. Simply use name-based virtual hosts and forbid access to the default virtual host. This denies access to simple drive-by bots that crawl IP ranges and others that request a HOST that isn't configured as a virtual host. |
|
|
http://en.wikipedia.org/wiki/Virtual_hosting#Name-based
Remember, TCP/IP doesn't specify Hostname, messages are only routed by IP.
HTTP 1.1 specifies the Host Header specifically to enable features like name based virtual hosting.