I am getting a number of requests to my site with the Host header set incorrectly (most commonly to the IP address instead of domain name). Currently I am returning 400 Bad Request. I am thinking of returning 301 or 302, but not sure if it's a good idea.
What is the best practice when the client sets the Host header incorrectly?
I would say that everything should send a valid host field except some bots and other automatic scanners.
HTTP/1.0 (which did not have a hosts header) usage today is basically zero and again anything still using this is likely not something you want or need on your site.
So to me there is limited value to 301 or 302ing these requests and they may end up following that and hitting your site again wasting your resources.
Finally you're probably spending too much time worrying about this. Junk requests are part and parcel of running an public facing internet site and, for the most part, are better ignored than wasting time in them. If you are concerned then you can install a WAF to filter this sort of thing out.
What is the current behaviour of your webserver, do you display an actual site when handling requests for missing Host: headers and/or Host:-headers with unknown DNS names?
If you're currently displaying an actual site and want to change that before doing so you may want to investigate first whether or not you have some:
Host: header yet. If that is the case then you may need to accommodate those by keeping the current behaviour (at least for those specific clients).
Arguably there is some value in not displaying an actual website in response to invalid requests, if only to keep some of the garbage that network scanners/web crawlers/bots create out of the logs for your real sites.
