fix #274

2 files changed, 8 insertions, 4 deletions

diff --git a/examples/redirect_requests.py b/examples/redirect_requests.py
index 278160c7..a9a7e795 100644
--- a/examples/redirect_requests.py
+++ b/examples/redirect_requests.py
@@ -7,12 +7,12 @@ This example shows two ways to redirect flows to other destinations.
 
 
 def request(context, flow):
-    if flow.request.host.endswith("example.com"):
+    if flow.request.get_host(hostheader=True).endswith("example.com"):
         resp = HTTPResponse(
             [1, 1], 200, "OK",
             ODictCaseless([["Content-Type", "text/html"]]),
             "helloworld")
         flow.request.reply(resp)
-    if flow.request.host.endswith("example.org"):
+    if flow.request.get_host(hostheader=True).endswith("example.org"):
         flow.request.host = "mitmproxy.org"
         flow.request.headers["Host"] = ["mitmproxy.org"]
diff --git a/libmproxy/protocol/http.py b/libmproxy/protocol/http.py
index eec62916..68762833 100644
--- a/libmproxy/protocol/http.py
+++ b/libmproxy/protocol/http.py
@@ -464,9 +464,13 @@ class HTTPRequest(HTTPMessage):
     def get_host(self, hostheader=False):
         """
             Heuristic to get the host of the request.
-            The host is not necessarily equal to the TCP destination of the request,
-            for example on a transparently proxified absolute-form request to an upstream HTTP proxy.
+
+            Note that get_host() does not always return the TCP destination of the request,
+            e.g. on a transparently intercepted request to an unrelated HTTP proxy.
+
             If hostheader is set to True, the Host: header will be used as additional (and preferred) data source.
+            This is handy in transparent mode, where only the ip of the destination is known, but not the
+            resolved name. This is disabled by default, as an attacker may spoof the host header to confuse an analyst.
         """
         host = None
         if hostheader: