Yep, none of them are suitable for this use case; you need to validate the Host header first and reconstruct the URI first before parsing it.