The danger of the trailing dot in the domain name

Domain Name Trailing Dot

There is a such thing as fully qualified domain names, so each domain name in fact has a dot at the end. Maybe you are even not aware that your website is also accessible on domain name with the dot at the end (for example and as browsers allow to use both ways.

Possible issues

If you do not consider the fact that the user can accidentally enter the domain name with a dot at the end, or follow a link received from some "well-wisher" and get on your domain name with the dot at the end, as the result it may lead to unexpected consequences:

1) If the website uses HTTPS, when navigating to the domain name with the dot at the end, the browser will display the warning on untrusted connection.

2) Authentication may be broken, as cookies are usually set for the domain name without a dot at the end. User in this case will be quite surprised why he can’t log in. It is noteworthy, that if you set a cookie for a domain name with a dot at the end, this cookie will not be passed to the domain name without the dot at the end and vice versa.

3) JavaScript on the page may be broken.

4) There may be problems with the caching of website pages (for example, does not clear the pages cache if domain name has a dot at the end considering it an invalid domain name).

5) If in conditions in the web server configuration you rely on the particular domain name ($http_host in Nginx, %{HTTP_HOST} in Apache) without the dot at the end, you may face a variety of unexpected situations: unexpected redirects, basic-authorization problems, etc.

6) If the web server is not configured to accept requests on the domain name with the trailing dot, any user who accidentally typed a domain name with the trailing dot will see something like Bad Request - Invalid Hostname.

7) It is possible that search engines may find that your resource has a duplicate content, if someone accidentally or intentionally post links to your web pages with a dot at the end of the domain name.


Redirect to the domain name without a dot would allow to avoid some of the described problems:

Apache (.htaccess)
RewriteCond %{HTTP_HOST} !^domain\.zone$
RewriteRule ^(.*)$$1 [L,R=301]

Nginx (nginx.conf)
if ($http_host != '') {
    return 301$request_uri;

IIS (web.config)
<httpRuntime relaxedUrlToFileSystemMapping="true"/>
<rule name="point" stopProcessing="true"> <match url="^(.*)\.$" />
    <action type="Redirect" url="{R:1}" redirectType="Temporary" /> 


Redirects to (after bypassing a warning on untrusted connection.)

Authentication works, but after navigating to user is not authenticated anymore.

Stack Overflow
Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.

Authentication does not work.

404 - Page not found

Authentication does not work.

Authentication does not work.

Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.

Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.

Authentication works.

Not found.

We're sorry, Flickr doesn't allow embedding within frames.

Error (403) It seems you tried to do something we can't verify. Did you log into a different Dropbox account in a different window?

Authentication does not work.
JavaScript error: "NS_ERROR_DOM_BAD_DOCUMENT_DOMAIN: Illegal document.domain value"

Redirects to


1) In Nginx you can't specify a virtual server using the Fully Qualified Domain Name:

server {
     server_name ;

6 комментариев :

  1. Ответы
    1. $ curl -I
      HTTP/1.1 200 OK
      Date: Sat, 16 Mar 2013 17:08:50 GMT
      Expires: -1
      Cache-Control: private, max-age=0
      Content-Type: text/html; charset=ISO-8859-1
      Set-Cookie: PREF=ID=41394d01ad80ecef:FF=0:TM=1363453730:LM=1363453730:S=mg72E_bD90O4JafN; expires=Mon, 16-Mar-2015 17:08:50 GMT; path=/;
      Set-Cookie: NID=67=HlL4mxXbPaUiXjgvMUAB8Uhmb4xJlxNb65A9DQKeNErThwfSaX_ykxPwpJDOFtoulMSP1s6CwUZXqEeTiImLo2FmKwMzcemqHyXhZzog__KrhU25L6epTwx3nWhBdrG8; expires=Sun, 15-Sep-2013 17:08:50 GMT; path=/;; HttpOnly
      P3P: CP="This is not a P3P policy! See for more info."
      Server: gws
      X-XSS-Protection: 1; mode=block
      X-Frame-Options: SAMEORIGIN
      Transfer-Encoding: chunked

  2. The following is preferable for nginx, as it works without having to hard code the host name.

    if ($http_host ~ "\.$" ){
    rewrite ^(.*) http://$host$1 permanent;

    1. In this case your website will be available from "" and from ""

  3. Following Liam's lead, the following may be preferable for Apache2, as it works without hard-coding the host name, and it works with custom ports:

    RewriteCond %{HTTP_HOST} ^(.*)\.(:\d+)?$
    RewriteRule ^(.*)$ http://%1%2$1 [L,R=301]

  4. Ultimate information you have provided, It is very informatic for me...
    Thanks for sharing this information.. Register Website