Reject HTTP/1.1 requests without Host header

[Cycloctane]

What do these changes do?

• Make http parser raise BadHttpMessage when a HTTP/1.1 request does not set host header
• Add test
• Fix existing tests

Are there changes in behavior for the user?

Is it a substantial burden for the maintainers to support this?

Related issue number

Fixes #10600

Checklist

• I think the code is well written
• Unit tests for the changes exist
• Documentation reflects the changes
• If you provide code modification, please add yourself to CONTRIBUTORS.txt
• Add a new news fragment into the CHANGES/ folder

[codspeed-hq]

Merging this PR will not alter performance

✅ 59 untouched benchmarks

---

_{Comparing Cycloctane:reject-requests-without-host-header (95a3dbc) with master (438cb40)¹}

Footnotes

1. No successful run was found on master (2602b71) during the generation of this report, so 438cb40 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.11%. Comparing base (2602b71) to head (95a3dbc).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #12264   +/-   ##
=======================================
  Coverage   99.10%   99.11%           
=======================================
  Files         130      130           
  Lines       45432    45442   +10     
  Branches     2400     2401    +1     
=======================================
+ Hits        45025    45038   +13     
+ Misses        276      273    -3     
  Partials      131      131           

Flag	Coverage Δ
CI-GHA	98.96% <100.00%> (+<0.01%)	⬆️
OS-Linux	98.70% <100.00%> (+<0.01%)	⬆️
OS-Windows	96.98% <100.00%> (+<0.01%)	⬆️
OS-macOS	97.86% <100.00%> (+<0.01%)	⬆️
Py-3.10.11	97.41% <100.00%> (-0.01%)	⬇️
Py-3.10.20	97.89% <100.00%> (+<0.01%)	⬆️
Py-3.11.15	98.09% <100.00%> (+<0.01%)	⬆️
Py-3.11.9	97.62% <100.00%> (+<0.01%)	⬆️
Py-3.12.10	97.71% <100.00%> (+<0.01%)	⬆️
Py-3.12.13	98.18% <100.00%> (+<0.01%)	⬆️
Py-3.13.12	98.43% <100.00%> (+<0.01%)	⬆️
Py-3.14.3	98.49% <100.00%> (+<0.01%)	⬆️
Py-3.14.3t	97.49% <100.00%> (+<0.01%)	⬆️
Py-pypy3.11.13-7.3.20	97.53% <98.96%> (+<0.01%)	⬆️
VM-macos	97.86% <100.00%> (+<0.01%)	⬆️
VM-ubuntu	98.70% <100.00%> (+<0.01%)	⬆️
VM-windows	96.98% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Dreamsorcerer]

I don't think this should be restricted to 1.1?

https://www.rfc-editor.org/rfc/rfc9110#section-7.2-4

[Dreamsorcerer]

When 2+ support is added, it'll need to additionally check for this :authority header. But, until then, it should probably require Host on all versions.

[Cycloctane]

I don't think this should be restricted to 1.1?

It seems that this requirement is new in 1.1. It is not included in the original HTTP/1.0 RFC.

https://www.rfc-editor.org/rfc/rfc9112#appendix-C.2.1-1

[Dreamsorcerer]

Hmm, my link above is for RFC 9110 which covers HTTP generically, not a specific version. RFC 9112 says that Host header support was rolled out pretty quickly in HTTP/1.0, so it seems reasonable to require it today?

[Dreamsorcerer]

Even if not, it should still be a lower bound, right? Not an exact match.