HTTP: The Definitive Guide says
An origin server that isn’t virtually hosted, and doesn’t allow
resources to differ by the requested host, may ignore the Host header
field value. But any origin server that does differentiate resources
based on the host must use the following rules for determining the
requested resource on an HTTP/1.1 request:
If the URL in the HTTP request message is absolute (i.e., contains a scheme and host component), the value in the Host header is ignored
in favor of the URL.
If the URL in the HTTP request message doesn’t have a host, and the request contains a Host header, the value of the host/port is obtained
from the Host header.
If no valid host can be determined through Steps 1 or 2, a 400 Bad Response response is returned to the client.
Where is “the URL in the HTTP request message”?
Is it the one in the request line (in the first line in a HTTP request, after method such as
The URL is not required to appear anywhere in an HTTP request (except when made to a proxy; see below).
Only specific components of a URL normally appear in the request, i.e. the host (and port if applicable) which appears in the Host header, and the path and query string which appear in the request line. One thing that does not appear in the request is the scheme (http or https), which occasionally gives developers fits if the web application actually has a need to know the scheme.
It is possible for an alternate form of the request line to contain the complete URL as the request target, and it is mandatory for servers to be able to process this format, but this is not normally seen except when the user agent is knowingly speaking to an HTTP proxy. In this case, the proxy needs to know the scheme so that it can try to pass the request along, and the complete URL form is the way to do that defined in the relevant standard (RFC 7230).
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.