Closed
Description
HTTP/1.1 mandates (both in RFC2616 and RFC7230) that requests lacking a Host header should unconditionally receive a 400 Bad Request response.
https://tools.ietf.org/html/rfc2616#section-14.23
All Internet-based HTTP/1.1 servers MUST respond with a 400 (Bad Request)
status code to any HTTP/1.1 request message which lacks a Host header
field.
https://tools.ietf.org/html/rfc7230#section-5.4
A server MUST respond with a 400 (Bad Request) status code to any
HTTP/1.1 request message that lacks a Host header field and to any
request message that contains more than one Host header field or a
Host header field with an invalid field-value.
Right now Go happily accepts such requests without returning 400: as such it's non-conforming to the RFCs.