When creating a PSR request from globals, the hostname is set twice in the Host header. This is not allowed according to the RFC:
A server MUST respond with a 400 (Bad Request) status code to any
HTTP/1.1 request message that lacks a Host header field and to any
request message that contains more than one Host header field or a
Host header field with an invalid field-value.
The first hostname is added in the ServerRequest object constructor:
if (!$this->hasHeader('Host')) {
$this->updateHostFromUri();
}
However, Host header is added again in the ServerRequestCreator class in the fromArrays() function here because it uses the withAddedHeader function:
foreach ($headers as $name => $value) {
// Because PHP automatically casts array keys set with numeric strings to integers, we have to make sure
// that numeric headers will not be sent along as integers, as withAddedHeader can only accept strings.
if (\is_int($name)) {
$name = (string) $name;
}
$serverRequest = $serverRequest->withAddedHeader($name, $value);
}
This results in the following Host header in the Psr request:
When creating a PSR request from globals, the hostname is set twice in the Host header. This is not allowed according to the RFC:
The first hostname is added in the ServerRequest object constructor:
However, Host header is added again in the
ServerRequestCreatorclass in thefromArrays()function here because it uses thewithAddedHeaderfunction:This results in the following Host header in the Psr request: