Back to Blog

Are Domains and SSL Certificates Case Sensitive? Sometimes.

March 19, 2026 Justin 3 min read
SSL DNS Security Headers CDN TLS

Quick—is Example.com the same as example.com? You'd say yes. DNS says yes. Browsers say yes. But the infrastructure in between? Not always.

DNS: Case-Insensitive

This one is straightforward. RFC 4343 says DNS names are case-insensitive. EXAMPLE.COM, Example.com, and example.com all resolve to the same IP. This has been true since 1987. No surprises here.

SSL Certificates: Case-Insensitive (In Your Browser)

RFC 6125 says certificate matching should be case-insensitive. When your browser checks whether a cert is valid for the domain you're visiting, it compares them without caring about capitalization. You'll never see a certificate error just because you typed a capital letter in the address bar.

Where It Gets Weird

The gap is in everything between DNS resolution and your browser's certificate check.

SNI (Server Name Indication) — When a TLS connection starts, the client sends the hostname in the ClientHello so the server knows which certificate to serve. The spec says this should be case-insensitive. Some servers and load balancers don't follow the spec. Send Example.com in the SNI instead of example.com and you might get a completely different certificate back—or a default fallback cert.

CDN Routing — CDNs like Fastly, Cloudflare, and Akamai use the Host header and SNI to route requests. Some do case-sensitive string matching against their internal routing tables. If the domain was configured as example.com, a request for Example.com might hit a different route, different origin, or different certificate.

Redirects and Headers — Some servers normalize to lowercase in their redirect rules, others preserve the original casing. This can change the entire chain—different redirect targets, different server blocks handling the request, different security headers (HSTS, CSP, X-Frame-Options) coming back.

Real example: scanning Nypost.com vs nypost.com returns different results—different certificates, different security headers. Same site, same DNS, different TLS behavior just from a capital letter.

The Takeaway

For everyday browsing, none of this matters. Your browser handles it. But if you run a website, it's worth knowing that different capitalization of your domain can return different certificates and different headers depending on how your CDN or load balancer is configured. Every variation should behave identically—if it doesn't, that's a config gap.

DNS is case-insensitive. Browsers are case-insensitive. But SNI, CDN routing, and server configs? The RFCs say they should be. Real-world infrastructure says otherwise.