Home/ Questions/Q 8937857
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T10:29:16+00:00

I’m developing Heroku application that will be accessible via several domains. I need to

  • 0

I’m developing Heroku application that will be accessible via several domains. I need to distinguish to which particular domain a request is related. This is needed for example to construct absolute URLs of resources returned in the Location header.

Can I trust the Host header that arrives in the request to a Heroku application to always point to a domain that is associated with the application (either default xyz.herokuapp.com domain or one of domains added with heroku domains:add command)?

I know that this header can be set by a user to whatever value, but Heroku front end servers need to do some kind of filtering to dispatch requests to a correct application. Is this filtering bullet proof enough to trust the Host header?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If the request reached your application then the Host header will be one configured for your app.

    If the Host header was not one of yours the Heroku servers would have sent the request elsewhere.

    You can prove this on the command line by sending a wrong host.
    for example:

    $ curl "http://ismy.herokuapp.com" -H "Host: notmy.herokuapp.com"

    So, the answer to your question is yes. I’d trust it.

    • 0