On Sun, May 11, 2025 at 11:01:43PM -0400, Demi Marie Obenour wrote: > I think it would be best to validate Host and :authority identically. > The reason is that user configuration accesses :authority via the host > header. For instance, > > http-request set-uri https://%[req.hdr(host)]%[pathq] > > (from https://www.mail-archive.com/haproxy@formilux.org/msg43261.html) > is only safe if host is validated.
It will be implicit since :authority must be strictly equal to host ;-) Willy
