What do the plus + and star * signs mean in URLs reserved with the "netsh url add" command?

When reserving HTTP URLs in Windows using the "netsh http add urlacl" command, you might have noticed that the URLs sometimes contain a + or * character. These symbols are wildcards that control how the URL binding matches incoming requests.

Here are common examples:

http://+:8080/
http://*:8080/
http://localhost:8080/
http://myserver:8080/

The + wildcard matches any hostname that resolves to the computer. The * wildcard matches any hostname and any IP address. In practice, they behave similarly, but there are subtle differences in how they interact with host headers and security policies.

For example, using http://+:8080/ means your application will accept requests to any hostname that maps to the machine, including DNS aliases. Using http://*:8080/ goes one step further, matching all hostnames and all network interfaces, even those added later.

When possible, it's a good practice to specify an explicit hostname to improve security. Wildcards are convenient for local development or internal tools, but in production, reserved URLs should match exactly what you expect.

You can always list current URL reservations with:

netsh http show urlacl

Understanding these wildcards is especially useful when self-hosting ASP.NET Core applications with Kestrel or HTTP.sys, since the same URL reservation system applies there as well.