Requiring a Host header for HTTP 1.0 requests


#1

We are currently making a change to the API that will require the presence of a Host header. After this change, any HTTP 1.0 requests without a Host header will receive a HTTP 400 Bad Request response. This matches our behavior for HTTP 1.1 requests, where the Host header is mandatory.

This change will affect an extremely small number of unidentified applications, most of which have already been making unsuccessful API calls. According to our logs, the only HTTP 1.0 requests sent without a Host are anonymous requests sent to deprecated API v1.0 endpoints, and a majority of these have no set User-Agent and have been receiving HTTP 404 responses for quite some time.

While HTTP 1.0 requests that include the header will be unaffected, we strongly recommend moving to HTTP 1.1 for all API requests.

For more information about the Host header, see Section 14 of RFC2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html. Generally, the header for an API request will look like:

Host: api.twitter.com ```

The change is being canaried today and should go out to production next week. We will update the [node:12047, title=“calendar of API changes”] when it does.


#2

This has been rolled out.