Yeah, I agree. I recommend {hostport} in the original issue where regressions were posted:
The breakage is actually obvious which was part of the point. Clarifying the factors we considered for this:
- Alternative (previous behavior) is non-obvious insecurity. Application functions but has security vulnerabilities in some cases.
- This behavior breaks in an obvious way, and has an easy fix:
header_up Host {hostport} - Practically, this change mostly only affects those connections where
tls_insecure_skip_verifyis used, and these are not really officially considered legitimate production use cases. Disabling security is just not a great solution in any case. Caddy can fully automate internal PKI and apps or Caddy, one way or another, can be configured to properly trust the certs. (And I am not sure I have seen a complaint where this option was not used.)
So, I think in the grand scheme of things, breakage was actually very minimal, obvious, and seems to be limited to controversial configs anyway…
Sorry the release notes were not more clear. We did highlight this change, but maybe it needed a 
or something?