fix: Do not include user information in Host header

[tindzk]

According to RFC 9110, section 7.2, the Host header should only comprise the URI host and an optional port.

Currently, the examples set the Host header to the URI's authority which may also contain user information (see RFC 3986, section 3.2).

Update the examples to construct the Host header manually to avoid sensitive information from showing up in server logs and to ensure that the server's routing logic works correctly when a username and password are supplied.

[seanmonstar]

Thanks for the PR! I agree with your assessment, this is more correct. I do wish, however, that the examples could remain as simple as possible...

hyper-util's legacy Client does it automatically. That should get extracted to a helper middleware, like SetHost. We can't reference it now, but if we eventually could, would a comment like // consider using tower_http::SetHost help people? This isn't very actionable in this PR...

[tindzk]

I agree with the sentiment of keeping the examples as minimal as possible. I have shortened the fix to always include the port number. This should be compatible with the majority of servers out there.

The same issue is also present on the website: https://hyper.rs/guides/1/client/basic/

[sfackler]

@seanmonstar I think this was closed by accident?

[hackermondev]

Clients shouldn't be sending a host header with http/2.

https://tools.ietf.org/html/rfc7540#page-55

Clients that generate HTTP/2 requests directly SHOULD use the ":authority" pseudo-header field instead of the Host header field.

Hyper automatically adds the :authority from the URI. Some servers (Google) reset the connection if the host header is sent with http2.

[seanmonstar]

While technically true, I'm so far inclined to keep the examples simple. There's many other things that a user would need to do to make a good client that are also not included.