1. host

1.1 define

The Host header specifies the domain /IP address and port number of the requesting server.

Composition: Domain name + port number

Example: test.com: 1998

If no port number is given, the default port of the requested service is automatically used (for example, port 80 is automatically used when requesting an HTTP URL).

All HTTP/1.1 request messages must contain a Host header field. If an HTTP/1.1 Request lacks the Host header field or has more than one Host header field set, a 400 (Bad Request) status code is returned.

1.2 use

As we know, different domain names can be connected to the same IP address through A record or CNAME. The same IP address can also set up multiple different sites, so access to different domain names will be forwarded to the same IP address. How to distinguish these different sites? In this way, each visit will be requested to a different site based on the information of a different Host.

In short, it is mainly used in virtual host technology. Virtual hosting (virtual hosting) is a shared Web hosting, which can use virtual technology to divide a complete server into several hosts, so that multiple websites or services can be run on a single host.

For example, there is a server with THE IP address of 11.11.11.11, on which the websites of Taobao, JINGdong and Pindoduo are deployed, and three virtual hosts are configured: a.com, b.com and c.com. These three domain names all point to 11.11.11.11. When we visit the website of C.com, we see pindoduo pages instead of taobao and JINGdong pages because the Host header determines which virtual Host to visit.

2. referer

2.1 definition:

The Referer header contains the address of the source page of the current requested page, which means that the current page is accessed through the link in the source page.

Composition: Protocol + Domain name + port number + path + Parameter (note that hash value is not included)

Example: test.com: 1998 / home

It’s important to note that referer is actually a misspelling of “referrer”.

Referers are not sent in the following situations:

  • The protocol for the source page is a” file” or “data” URI representing a local file.
  • The current request page uses an insecure protocol, while the source page uses a secure protocol (HTTPS).
  • Enter the url directly or through the browser bookmark access;
  • Use JavaScript location. href or location.replace ();
  • Use the HTML5 Noreferrer

2.2 use

The server generally uses the Referer header to identify the source of access, which may be used for statistical analysis, logging, cache optimization, etc., and is also commonly used to prevent image theft.

The principle of anti-theft is: when users visit a web page, the referer is the URL of the previous web page; If it’s a picture, it usually refers to the page the picture is on. When the browser sends a request to the server, the referer is automatically carried in the HTTP request header. The image server uses this header to determine if the referer is not its own server and blocks it.

Take the picture of the nuggets:

P1-jj.byteimg.com/tos-cn-i-t2…

Opening it directly in a browser is accessible because the referer will not be sent at this point.

And if you put the picture on their own website, you can’t see the normal picture.

Referer is not on the Nuggets’ white list. (Nuggets, wechat and other clients can see it, because it is in the nuggets white list)

So how to crack the chain, the commonly used is to use a server program as a proxy crawler, the server crawler can set the request header freely.

But referrer has many problems. For example, when requesting external websites, they carry a lot of URL parameter information, which is actually private, so there is a certain risk of privacy exposure. Origin has no such privacy concerns.

3. origin

3.1 define

The Origin field in the request header indicates which site the request came from. This field only indicates the server name and does not contain any path information. This field is similar to the Referer header field except that it does not contain path information.

This header is used for CORS or POST requests.

Composition: Protocol + domain name + port number

Note: The Origin header will only be carried in a cross-domain request (header: access-Control-allow-Origin) or in a cross-domain post request. If the browser cannot retrieve the request source, origin is also carried, but with a value of null.

Referer, in any case, carries the request source as long as the browser has access to it. If the browser cannot retrieve the request source, the request header does not carry the referer.

3.2 use

For CORS: When our browser makes a cross-site request, the server verifies that the current request is from an approved site. The server uses the value of the Origin field to determine.

reference

  • The difference between Host, Referer and Origin
  • HTTP Headers