>> Is there a way to catch the host header just before passing it to the DLLs?
look in the host app, in the webServer procedure, in the StartNewthread method.
you'll see this line;
ThisWebServer._SitesQueue.HostName = lower(self._GetHeaderField ('host:', p_RequestData.DataString, 1, p_RequestData.DataStringLen, 1, 1))
It then goes on to do a lookup on the ThisWebServer._SitesQueue.
So I guess the place to inject your code is immediately after the line above.
If you do tweak this code feel free to submit it back to me - ideally you want something that won't be overwritten with the next multi-host update.
>> Because its tempting to hackers..... just showing its there....
This doesn't make sense to me. Because
1)
a) you need to be able to access the host. Which means either using the IP address of the server directly, or adding an entry to the DNS table for your domain.
b) If you add an entry to the DNS table for your domain then you are advertising "that it's there".
c) which means that if you add an entry in the host to match all the entries in the DNS table then you've covered the bases.
Now it's possible I'll add a default site anyway (because it's possible to create DNS entries which point at other people's IP addresses) but frankly this makes no difference to a hacker or not. The fact that it exists is obvious to anyone who looks for it...
2) You should never be relying on "obscurity" as a defense mechanism. Yes, there are some advantages to being "different" (you don't get hit by the well known common flaws in say Apache or IIS that's out of date) but we don't want to base security on that. It's a nice bonus, but given that a hacker can almost certainly find your site it's nothing more than a polite knee-high picket fence at the edge of your garden.
Incidentally, what the server does when the host is not in the queue is completely up to you. In the same place as earlier you'll see what happens if the entry is not found in the ThisWebServer._SitesQueue.
By default it goes to the "start page" of the first entry in the queue (which is the host.)
The host is a web server (just like any other) so the first page is specified in the WebServer procedure - and is set to 'loginforn'.
But of course you can direct it to absolutely any page you like, and any page you create. So maybe I should revise my answer from earlier;
>> Is there a way to create a default [page]
yes. Set the default page in the WebServer, Default Page setting.
Cheers
Bruce