Yes. This actually happens.
Someone calls your API as API.EXAMPLE.COM instead of api.example.com…
And your backend responds with 404. Or 500. Or something equally embarrassing.
Congratulations — your API is sensitive to keyboard mood.
Rentgen runs a simple mutation: it takes the exact same request and uppercases only the domain. Nothing else changes. The expected behavior? Exactly the same 2xx response.
If it fails, that’s not “edge case”. That’s infrastructure smell.
DNS doesn’t care about casing. Browsers don’t care. Most tooling doesn’t care. If your API does — somewhere in your stack you’re matching the Host header as raw text instead of treating it like the identifier it is.
The worst part?
When this bug hits, nobody suspects it. Teams debug payloads, auth, headers, routing… while the root cause is literally Caps Lock.
In this run: 🟢 Pass (200 OK).
Good. That’s how it should behave.
But when it fails in real systems, it’s usually because of sloppy reverse proxy rules, case-sensitive host matching, or dev configs that were “temporary” three years ago.
Your API should not break because someone typed in uppercase.
Full breakdown and real-world cases here: https://rentgen.io/api-stories/uppercase-domain-handling.html
Top comments (0)