Last year I helped a team debug a webhook handler that randomly rejected valid callbacks. The logs showed requests coming from a ‘different domain’… except the domain was the same. The bug turned out to be painfully simple: someone compared raw URL strings instead of comparing the hostname they actually cared about. A trailing dot, an explicit default port, and a mix of IPv6 literals made their string checks lie.\n\nIf you’ve ever built redirect validation, multi-tenant routing, allowlists, request logging, proxy rules, or SSRF defenses, you’ve felt this pain: you need the host part of a URL, and you need it consistently.\n\nJava’s java.net.URL has a getHost() method that looks almost too small to matter. In practice it’s one of those tiny API calls that quietly supports a lot of production correctness. I’ll show you what getHost() returns, what it does not return, and how to combine it with related methods (getAuthority(), getPort(), getProtocol(), and friends) so you can build checks that survive real traffic: ports, IPv6, file URLs, missing hosts, and internationalized domain names.\n\n## Where the host lives inside a URL (and why it’s easy to misread)\nA URL is more than ‘a link.’ It’s a structured identifier with named parts. When you say ‘host,’ you usually mean the network location portion that comes after the scheme and // and before :port and /path.\n\nA typical HTTPS URL:\n\n- Scheme: https\n- Authority: api.example.com:8443\n- Host: api.example.com\n- Port: 8443\n- Path: /v1/orders\n- Query: ?status=paid\n- Fragment: #receipt\n\nIn the generic form used across modern URL/URI specs (RFC 3986), the host sits inside the authority component:\n\nscheme://[userinfo@]host[:port]/path?query#fragment\n\nThat authority piece is where people get tripped up:\n\n- userinfo@ is rare today, but still legal.\n- Host can be a domain (example.com), an IPv4 address (203.0.113.7), or an IPv6 literal ([2001:db8::1]).\n- Port may be absent, even if the scheme implies a default.\n\nJava’s URL.getHost() is focused: it returns the host name portion (as a String) and nothing else.\n\n## Meet URL.getHost() (signature, behavior, and what it does not do)\nThe method is simple:\n\n- Signature: public String getHost()\n- Parameters: none\n- Return type: String\n\nYou call it like:\n\nurl.getHost()\n\nWhat you get back:\n\n- The hostname (or address literal) portion of the URL.\n- If the URL has no host component, you typically get an empty string ("").\n\nWhat you do not get back:\n\n- No scheme (https)\n- No port (:443)\n- No path (/v1/orders)\n- No query (?a=b)\n- No DNS resolution (this matters for performance and security)\n\nA complete runnable example:\n\njava\nimport java.net.URL;\n\npublic class HostBasics {\n public static void main(String[] args) {\n try {\n URL url = new URL("https://www.example.com/docs/index.html?ref=nav#top");\n\n System.out.println("URL = " + url);\n System.out.println("scheme = " + url.getProtocol());\n System.out.println("host = " + url.getHost());\n System.out.println("port = " + url.getPort()); // -1 means "not explicitly set"\n System.out.println("path = " + url.getPath());\n System.out.println("query = " + url.getQuery());\n System.out.println("fragment = " + url.getRef());\n } catch (Exception e) {\n System.out.println("Error: " + e.getMessage());\n }\n }\n}\n\n\nA few details I always keep in mind:\n\n- getHost() is purely parsing. It does not reach out to the network.\n- getPort() returns -1 if the port was not explicitly present in the textual URL.\n- If you need ‘effective port’ (like 443 for https), you compute it yourself (more on that soon).\n\n### Quick mental model: which method returns what?\nWhen I’m teaching this, I like to keep a short ‘map’ in my head. Here’s a practical cheat sheet you can refer back to:\n\n
Example URL
Notes
—
—
\n
getProtocol() https://a.example.com:8443/x
https Lower/upper depends on input; normalize if comparing.
getAuthority()
https://a.example.com:8443/x a.example.com:8443
userinfo@ if present. \n
getHost() https://a.example.com:8443/x
a.example.com No port, no brackets for IPv6.
getPort()
https://a.example.com:8443/x 8443
-1 means ‘not specified explicitly.’ \n
getPath() https://a.example.com:8443/x
/x Empty path can be "" for bare hosts.
getQuery()
https://a.example.com/x?a=b a=b
?. \n
getRef() https://a.example.com/x#t
t Fragment without #.
getHost() answers only one question—‘what host was parsed?’—not ‘where will this connect?’ (ports, proxies, DNS) and not ‘is it safe?’ (validation, allowlists).\n\n## Host vs authority vs port: building correct comparisons\nMost real problems are not ‘print the host.’ They’re ‘decide if this URL is allowed’ or ‘route based on tenant domain.’ That means you need to compare the right pieces.\n\nHere’s the key relationship:\n\n- getAuthority() returns something like "www.example.com:8443" (and may include user info if present).\n- getHost() returns "www.example.com"\n- getPort() returns 8443 or -1\n\nRunnable example that prints these differences:\n\njava\nimport java.net.URL;\n\npublic class HostAuthorityPort {\n public static void main(String[] args) {\n try {\n URL url = new URL("https://www.example.com:8443/api/v2/health");\n\n System.out.println("URL = " + url);\n System.out.println("authority = " + url.getAuthority());\n System.out.println("host = " + url.getHost());\n System.out.println("port = " + url.getPort());\n } catch (Exception e) {\n System.out.println("Error: " + e.getMessage());\n }\n }\n}\ngetAuthority() when you meant to compare just host\n- You’ll reject example.com if someone sends example.com:443.\n\n2) Comparing raw strings of full URLs\n- Path, query, fragment, default ports, and superficial formatting changes will break you.\n\n3) Forgetting that ‘no explicit port’ is different from ‘port 443’\n- https://example.com → getPort() == -1\n- https://example.com:443 → getPort() == 443\n\nIf you actually care about the destination socket (host + effective port), compute it explicitly:\n\njava\nimport java.net.URL;\n\npublic class EffectivePortExample {\n static int effectivePort(URL url) {\n int port = url.getPort();\n if (port != -1) return port;\n\n // Basic defaults; extend if you handle more schemes.\n return switch (url.getProtocol()) {\n case "http" -> 80;\n case "https" -> 443;\n default -> -1;\n };\n }\n\n public static void main(String[] args) {\n try {\n URL a = new URL("https://www.example.com/api");\n URL b = new URL("https://www.example.com:443/api");\n\n System.out.println("A host=" + a.getHost() + " port=" + effectivePort(a));\n System.out.println("B host=" + b.getHost() + " port=" + effectivePort(b));\n } catch (Exception e) {\n System.out.println("Error: " + e.getMessage());\n }\n }\n}\nsplit("/") and regret it later. Here’s how I frame it in code reviews:\n\nGoal
URL/URI parsing approach
—
—
Extract hostname
[::1]), user-info, weird spacing new URL(...).getHost() or URI.getHost()
Handle default ports
getPort() + computed effective port
Validate scheme
url.getProtocol() check
Security checks (SSRF-related)
Combine strict parsing + host allowlist + network-layer controls
getHost() is still predictable, but you need to understand the shapes it can take.\n\n### 1) Missing host → empty string\nIf you create a URL that doesn’t include a host, Java can still construct it (depending on scheme rules), and getHost() can return "".\n\njava\nimport java.net.URL;\n\npublic class MissingHost {\n public static void main(String[] args) {\n try {\n URL url = new URL("https:");\n System.out.println("URL = " + url);\n System.out.println("host = [" + url.getHost() + "]");\n } catch (Exception e) {\n System.out.println("Error: " + e.getMessage());\n }\n }\n}\nhttp://[2001:db8::42]/status\n\nIn Java, getHost() gives you the literal address without the brackets.\n\njava\nimport java.net.URL;\n\npublic class IPv6Host {\n public static void main(String[] args) {\n try {\n URL url = new URL("http://[2001:db8::42]:8080/status");\n System.out.println("URL = " + url);\n System.out.println("host = " + url.getHost());\n System.out.println("port = " + url.getPort());\n } catch (Exception e) {\n System.out.println("Error: " + e.getMessage());\n }\n }\n}\nfile: URLs\nfile: URLs often have no authority section:\n\n- Local file: file:///Users/alex/app/config.yaml (host is empty)\n- Remote/UNC style: file://fileserver/share/app/config.yaml (host is fileserver)\n\njava\nimport java.net.URL;\n\npublic class FileUrlHost {\n public static void main(String[] args) {\n try {\n URL local = new URL("file:///Users/alex/app/config.yaml");\n URL remote = new URL("file://fileserver/share/app/config.yaml");\n\n System.out.println("local host=[" + local.getHost() + "] path=" + local.getPath());\n System.out.println("remote host=[" + remote.getHost() + "] path=" + remote.getPath());\n } catch (Exception e) {\n System.out.println("Error: " + e.getMessage());\n }\n }\n}\nhttps://münich.example/ into browsers, but the on-the-wire representation often becomes punycode (xn--...).\n\nIn Java, you’ll often want to normalize using java.net.IDN.\n\njava\nimport java.net.IDN;\nimport java.net.URL;\nimport java.util.Locale;\n\npublic class IdnNormalization {\n static String normalizeHostForComparison(String host) {\n if (host == null) return null;\n // Locale.ROOT avoids weird casing rules in some locales.\n String lower = host.toLowerCase(Locale.ROOT);\n // Convert Unicode domain to ASCII form (punycode) for consistent storage/comparison.\n return IDN.toASCII(lower);\n }\n\n public static void main(String[] args) {\n try {\n URL url = new URL("https://münich.example/path");\n String host = url.getHost();\n\n System.out.println("raw host = " + host);\n System.out.println("normalized host = " + normalizeHostForComparison(host));\n } catch (Exception e) {\n System.out.println("Error: " + e.getMessage());\n }\n }\n}\nexample.com and example.com. as the same fully-qualified name in many contexts, but string comparisons do not. URL.getHost() will give you what was parsed; it won’t silently remove a trailing dot.\n\nIf you run an allowlist, decide your policy:\n\n- Reject trailing dots (simpler, predictable)\n- Or normalize by stripping a final . (but be consistent everywhere)\n\nI prefer rejecting for public-facing validation unless I have a strong reason to accept.\n\n### 6) Case-insensitivity: Example.COM vs example.com\nHostnames are effectively case-insensitive in practice. But Java will happily preserve the user’s casing in the textual input. If you compare hosts as strings, normalize them:\n\n- Convert to lowercase with Locale.ROOT.\n- If you deal with Unicode domains, convert to ASCII with IDN.toASCII(...) after lowercasing.\n\nA tiny helper I reuse a lot:\n\njava\nimport java.net.IDN;\nimport java.util.Locale;\n\npublic class HostNormalize {\n public static String canonicalHost(String host) {\n if (host == null) return null;\n String h = host.trim();\n if (h.isEmpty()) return "";\n\n // Optional: reject or strip a final dot. Here I strip it to be tolerant.\n if (h.endsWith(".")) {\n h = h.substring(0, h.length() - 1);\n }\n\n h = h.toLowerCase(Locale.ROOT);\n return IDN.toASCII(h);\n }\n}\nhttp://user:[email protected]/path. Modern browsers and tools discourage it, but it still appears in data pipelines and old integrations.\n\nImportant subtlety: getHost() ignores user info by design (good), but getAuthority() can include it (risky to log).\n\nIf you log getAuthority() blindly, you can accidentally leak credentials. This is one reason I usually build logs using getProtocol(), getHost(), and the effective port rather than dumping the authority.\n\n### 8) IPv6 zone identifiers (link-local)\nIn some environments you’ll see link-local IPv6 with zone IDs, like fe80::1%en0. In URLs those are encoded (you’ll see %25 for the %).\n\nExample shape (don’t memorize it; just recognize it):\n\n- Textual URL: http://[fe80::1%25en0]/\n\nIf you’re building allowlists, treat these carefully. In most server-side systems, you’ll want to reject link-local ranges entirely for outbound traffic (they’re almost never a legitimate external callback destination).\n\n## URL vs URI in modern Java: which one should you parse with?\nIn day-to-day Java (JDK 21+), I treat URL and URI as two different tools:\n\n- java.net.URI is the better ‘identifier parser’ and is what I reach for when I need strict parsing, normalization, or safe equality.\n- java.net.URL is still fine for host extraction and for opening connections, but it has historical footguns around equality and hashing.\n\nTwo practical points:\n\n1) URL.equals() and URL.hashCode() have historically involved name service lookups in some cases, because URLs were designed with the concept of ‘same resource’ rather than ‘same text.’ That can make URLs risky as map keys in hot paths.\n\n2) URI is more explicit about what’s hierarchical (has //authority) vs opaque (mailto:[email protected]-style). Many strings you see in the wild are URIs but not URLs you can dereference.\n\nIf your input is ‘a URL-like string from a user’ and you want a host:\n\n- Parse with URI first.\n- Validate scheme and that it is hierarchical.\n- Then read uri.getHost().\n- Only convert to URL at the edge where you actually need openConnection().\n\nExample:\n\njava\nimport java.net.URI;\nimport java.util.Locale;\n\npublic class UriFirstParsing {\n public static void main(String[] args) {\n String input = "https://www.example.com:443/account/profile";\n\n try {\n URI uri = URI.create(input);\n\n if (uri.getScheme() == null URL because that’s what your API already takes, I still recommend validating scheme and host right after construction.\n\n## Real-world patterns: logging, routing, and security checks\nThis is where getHost() becomes more than trivia.\n\n### Pattern 1: Structured logging without leaking secrets\nWhen you log full URLs, query strings often contain tokens (?token=...). I prefer logging only:\n\n- scheme\n- host\n- effective port\n- path (sometimes)\n\nExample helper:\n\njava\nimport java.net.URL;\n\npublic class SafeUrlLogging {\n static int effectivePort(URL url) {\n int port = url.getPort();\n if (port != -1) return port;\n return switch (url.getProtocol()) {\n case "http" -> 80;\n case "https" -> 443;\n default -> -1;\n };\n }\n\n static String safeTargetForLogs(URL url) {\n String scheme = url.getProtocol();\n String host = url.getHost();\n int port = effectivePort(url);\n String path = url.getPath();\n\n // Avoid query and fragment in logs.\n if (port == -1) return scheme + "://" + host + path;\n\n // Optional: hide default ports to reduce noise.\n boolean isDefault = (scheme.equals("http") && port == 80) https://example.com then allow.’ And then a user discovers the weird cases.\n\nIf your policy is ‘redirect only to these hosts’ then compare hosts, not whole strings. Also decide whether you care about scheme and port. In many applications I care about all three: scheme + host + effective port.\n\nHere’s a concrete example: validate a redirect target coming from an untrusted query parameter.\n\njava\nimport java.net.IDN;\nimport java.net.URI;\nimport java.util.Locale;\nimport java.util.Set;\n\npublic class RedirectValidator {\n private static final Set ALLOWEDHOSTS = Set.of(\n "example.com",\n "www.example.com",\n "app.example.com"\n );\n\n static String canonicalHost(String host) {\n if (host == null) return null;\n String h = host.trim();\n if (h.endsWith(".")) h = h.substring(0, h.length() - 1);\n h = h.toLowerCase(Locale.ROOT);\n return IDN.toASCII(h);\n }\n\n static int effectivePort(URI uri) {\n int port = uri.getPort();\n if (port != -1) return port;\n String scheme = uri.getScheme() == null ? "" : uri.getScheme().toLowerCase(Locale.ROOT);\n return switch (scheme) {\n case "http" -> 80;\n case "https" -> 443;\n default -> -1;\n };\n }\n\n public static boolean isAllowedRedirect(String raw) {\n URI uri;\n try {\n uri = URI.create(raw);\n } catch (IllegalArgumentException e) {\n return false;\n }\n\n if (uri.getScheme() == null tenant-a.example.com vs tenant-b.example.com. Or customers bring their own domain, and you map it to a tenant.\n\nIn those systems, I use getHost() to make the extraction boring and correct, and then I apply my business logic on top. For example:\n\n- If host ends with .example.com, treat the left-most label(s) as a tenant key.\n- Else, look up the full host in a custom domain table.\n\nHere’s a simplified extractor that pulls a tenant slug from tenant.example.com and rejects tricky cases.\n\njava\nimport java.net.IDN;\nimport java.net.URL;\nimport java.util.Locale;\n\npublic class TenantFromHost {\n static String canonicalHost(String host) {\n if (host == null) return null;\n String h = host.trim();\n if (h.endsWith(".")) h = h.substring(0, h.length() - 1);\n h = h.toLowerCase(Locale.ROOT);\n return IDN.toASCII(h);\n }\n\n static String tenantFromUrl(URL url) {\n String host = canonicalHost(url.getHost());\n if (host == null getHost() is necessary but not sufficient\nSSRF (Server-Side Request Forgery) defenses are where I see people over-trust parsing. Here’s the honest framing I use:\n\n- getHost() helps you consistently extract what the user claimed the host is.\n- SSRF is about where you actually connect, which can be influenced by DNS, IP ranges, redirects, proxies, and sometimes even unusual schemes.\n\nSo I treat getHost() as step one of a layered defense:\n\n1) Parse and validate: only allow http and https, require a host, reject user info.\n2) Compare host to allowlist (if your business allows it).\n3) Resolve the host to IP(s) and block internal/private/link-local ranges (if you must allow arbitrary hosts).\n4) Enforce network egress controls (firewall/VPC rules) where possible.\n5) Disable or tightly control redirects when making outbound requests.\n\nA practical ‘baseline’ validator (still not a complete SSRF solution, but miles better than string checks):\n\njava\nimport java.net.IDN;\nimport java.net.InetAddress;\nimport java.net.URI;\nimport java.util.Locale;\n\npublic class OutboundUrlPolicy {\n static String canonicalHost(String host) {\n if (host == null) return null;\n String h = host.trim();\n if (h.endsWith(".")) h = h.substring(0, h.length() - 1);\n h = h.toLowerCase(Locale.ROOT);\n return IDN.toASCII(h);\n }\n\n static boolean isPrivateAddress(InetAddress addr) {\n return addr.isAnyLocalAddress()\n host.isEmpty()) {\n throw new IllegalArgumentException("Host is required");\n }\n\n // Optional hard policy: block raw IP literals if you only expect domains.\n // (Not perfect, but often useful.)\n // if (host.matches("\\d+\\.\\d+\\.\\d+\\.\\d+")) throw ...;\n\n try {\n InetAddress[] addrs = InetAddress.getAllByName(host);\n for (InetAddress addr : addrs) {\n if (isPrivateAddress(addr)) {\n throw new IllegalArgumentException("Private/internal address not allowed: " + addr.getHostAddress());\n }\n }\n } catch (Exception e) {\n throw new IllegalArgumentException("DNS lookup failed or blocked: " + e.getMessage());\n }\n }\n}\n\n\nA few real-world cautions I’ve learned the hard way:\n\n- DNS checks can be bypassed in advanced scenarios (rebinding, time-of-check vs time-of-use). That’s why network-level egress controls are the ‘adult’ solution when you can get them.\n- If you allow redirects, you must re-validate the destination host on every redirect hop, not just the first URL.\n- If you use an outbound HTTP client that respects system proxies, your connection might go somewhere you didn’t anticipate. That’s not inherently bad, but it changes your threat model.\n\n### Pattern 5: Comparing URLs in caches and maps (avoid URL equality surprises)\nSometimes the task isn’t security—it’s performance. For example, you’re caching per-host metrics or circuit breakers. A naive implementation might key a HashMap or compare URL objects for equality.\n\nEven if you never hit name service lookups, that’s still more complexity than you need. I prefer to create an explicit key type that uses exactly what I care about: canonical host + effective port + scheme.\n\njava\nimport java.net.IDN;\nimport java.net.URL;\nimport java.util.Locale;\nimport java.util.Objects;\n\npublic final class HostKey {\n public final String scheme;\n public final String host;\n public final int port;\n\n public HostKey(String scheme, String host, int port) {\n this.scheme = scheme;\n this.host = host;\n this.port = port;\n }\n\n static String canonicalHost(String host) {\n if (host == null) return null;\n String h = host.trim();\n if (h.endsWith(".")) h = h.substring(0, h.length() - 1);\n h = h.toLowerCase(Locale.ROOT);\n return IDN.toASCII(h);\n }\n\n static int effectivePort(URL url) {\n int p = url.getPort();\n if (p != -1) return p;\n return switch (url.getProtocol()) {\n case "http" -> 80;\n case "https" -> 443;\n default -> -1;\n };\n }\n\n public static HostKey fromUrl(URL url) {\n String scheme = url.getProtocol().toLowerCase(Locale.ROOT);\n String host = canonicalHost(url.getHost());\n int port = effectivePort(url);\n return new HostKey(scheme, host, port);\n }\n\n @Override\n public boolean equals(Object o) {\n if (this == o) return true;\n if (!(o instanceof HostKey)) return false;\n HostKey other = (HostKey) o;\n return port == other.port\n && Objects.equals(scheme, other.scheme)\n && Objects.equals(host, other.host);\n }\n\n @Override\n public int hashCode() {\n return Objects.hash(scheme, host, port);\n }\n\n @Override\n public String toString() {\n return scheme + "://" + host + ":" + port;\n }\n}\n\n\nThis is one of those ‘boring infrastructure’ improvements that pays for itself: fewer cache misses, fewer surprises, and keys that match your intent.\n\n## Practical pitfalls (the ones I actually see)\nI want to call out a few patterns that show up repeatedly in real systems. If you avoid these, you’ll avoid a bunch of painful bugs.\n\n### Pitfall 1: Assuming getHost() implies a network connection is possible\ngetHost() can return a string even for weird or partial inputs (depending on how you constructed the URL). It doesn’t mean you can connect, it doesn’t mean DNS exists, and it doesn’t mean your HTTP client will use it (proxies and redirects can change behavior).\n\nWhat I do instead:\n\n- Treat parsing as parsing.\n- Treat connection logic as connection logic, with explicit policies and timeouts.\n\n### Pitfall 2: Forgetting that -1 ports change comparisons\nThis one is subtle because -1 is technically correct: it means ‘not explicitly specified.’ But business logic often cares about ‘where will it connect,’ which is the effective port.\n\nRule of thumb I follow:\n\n- If I’m comparing user input for policy decisions, I compute effective ports.\n- If I’m preserving the user’s original URL for display, I keep the raw port distinction.\n\n### Pitfall 3: Mixing up ‘Host header’ and URL host\nIn server-side HTTP handlers, there are two different concepts:\n\n- The host embedded in a URL you parse (for redirects/outbound calls).\n- The Host header (or :authority in HTTP/2) of an incoming request.\n\nThey often match, but they don’t have to. Proxies, load balancers, and misconfigured clients can produce surprises.\n\nIf your app uses host-based routing, validate incoming host headers using the same canonicalization approach (lowercase, optional IDN normalization, explicit port rules). But don’t confuse that with URL.getHost()—they are similar strings in different layers.\n\n### Pitfall 4: Logging the wrong part and leaking secrets\nI mentioned it earlier, but it’s worth repeating: do not log getAuthority() if you can’t guarantee there is no user info. Build log strings explicitly from safe pieces.\n\n## When to use URL.getHost() vs URI.getHost()\nI’m not dogmatic about it, but here’s how I decide.\n\n### I reach for URL.getHost() when\n- I already have a URL object (library APIs often hand you one).\n- I’m working with code that ultimately needs a URL anyway (connections, legacy APIs).\n- I want quick host extraction and I’ve already validated inputs elsewhere.\n\n### I reach for URI.getHost() when\n- The input is an untrusted string and I want stricter parsing and clearer semantics.\n- I care about normalization and building safe comparisons.\n- I plan to use the parsed value for policy decisions (redirect allowlists, outbound fetch rules).\n\nIn either case, the core idea is the same: don’t do string hacks when the platform already gives you a parser.\n\n## Performance considerations (what matters and what doesn’t)\nHost extraction itself is cheap: it’s parsing, not networking. The performance issues usually come from what you do next.\n\n### 1) Avoid accidental DNS work\n- getHost() does not resolve DNS. Good.\n- But other operations in URL land can trigger name service resolution in surprising ways (especially if you lean on URL equality or other behaviors).\n\nMy approach:\n\n- Use URI and explicit comparison keys for hot paths.\n- Resolve DNS only where you truly need it (and consider caching if appropriate).\n\n### 2) Normalize once, compare many times\nIf you have an allowlist of 100 hosts and you validate 1 million URLs a day, you want to normalize hosts efficiently:\n\n- Pre-normalize allowlist entries into a Set of canonical hosts.\n- Normalize each input host once.\n- Compare canonical strings.\n\n### 3) Don’t build giant log strings on hot paths\nThis is less about getHost() and more about practice: logging full URLs for every request can be expensive and noisy. I prefer structured logs with small fields: scheme, host, port, path.\n\n## A checklist I use for ‘host-based’ correctness\nWhenever I see host-based logic, I run through this list:\n\n1) Are we parsing with URL/URI (not string hacks)?\n2) Do we require a scheme and host when the feature needs it?\n3) Do we normalize host before comparison (case, IDN, trailing dot policy)?\n4) Do we treat implicit ports the same as explicit default ports when needed?\n5) Are we logging safely (no query, no user info)?\n6) If this is security-sensitive (SSRF/redirect), do we also control redirects and block private IP ranges?\n\nThat checklist is my ‘small investment’ that prevents weeks of debugging later.\n\n## More examples: small, focused host extractions\nSometimes you just want quick demos that show behavior. Here are a few I keep around.\n\n### Example: host from IPv4\njava\nimport java.net.URL;\n\npublic class HostFromIPv4 {\n public static void main(String[] args) throws Exception {\n URL url = new URL("http://203.0.113.7:8080/status");\n System.out.println(url.getHost());\n System.out.println(url.getPort());\n }\n}\n\n\n### Example: host is empty for a local file URL\njava\nimport java.net.URL;\n\npublic class HostFromFile {\n public static void main(String[] args) throws Exception {\n URL url = new URL("file:///tmp/report.txt");\n System.out.println("host=[" + url.getHost() + "]");\n System.out.println("path=" + url.getPath());\n }\n}\n\n\n### Example: show why string splitting fails on IPv6\njava\nimport java.net.URL;\n\npublic class DontSplitOnColon {\n public static void main(String[] args) throws Exception {\n URL url = new URL("http://[2001:db8::1]:8080/a");\n System.out.println("host=" + url.getHost());\n System.out.println("authority=" + url.getAuthority());\n }\n}\n\n\nIf you’re tempted to split on : to get host and port, this example is your reminder that IPv6 exists and does not care about your split logic.\n\n## FAQ (the questions I get most often)\n\n### Does getHost() perform DNS lookups?\nNo. It parses the URL string and returns the host component. Any DNS resolution happens only if you explicitly resolve (for example, with InetAddress.getAllByName(...)) or if you do something else that triggers networking behavior.\n\n### Why does getPort() return -1?\nBecause the port was not explicitly written in the URL. This is a feature: it preserves what the input actually said. If your logic needs default ports, compute the effective port based on scheme.\n\n### Should I store hosts exactly as users enter them?\nFor display, sometimes yes. For comparison, routing, and allowlists, I normalize. The most common normalizations are: lowercase with Locale.ROOT, convert Unicode hostnames to ASCII with IDN.toASCII, and adopt a consistent trailing-dot policy.\n\n### Is URL always the right class?\nNot always. If you’re mostly validating and comparing identifiers, URI is often the better choice. I still use URL.getHost() frequently because many Java APIs expose URL, and the method is a reliable way to extract the host portion.\n\n## Closing thought\nURL.getHost() is not complicated, and that’s exactly why it’s valuable. It gives you a clean, explicit boundary: ‘this is the host portion of the URL.’ Once you have that, the real work begins—normalizing it, deciding how ports should behave, and applying policy that matches your actual intent.\n\nWhenever I see code that tries to do host logic with string comparisons, I assume there’s a production bug waiting to happen. getHost() is the first step toward making those bugs boringly avoidable.
