Ccna final exam - java, php, javascript, ios, cshap all in one. This is a collaboratively edited question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
Thursday, May 24, 2012
HTTP_HOST vs. SERVER_NAME
When would you consider using one over the other and why?
HTTP_HOST is the target host sent by the client. It can be manipulated freely by the user. It's no problem to send a request to your site asking for a HTTP_HOST value of www.stackoverflow.com.
SERVER_NAME comes from the server's VirtualHost definition and is therefore considered more reliable. It can, however, also be manipulated from outside under certain conditions related to how your web server is set up: See this This SO question that deals with the security aspects of both variations.
You shouldn't rely on either to be safe. That said, what to use really depends on what you want to do. If you want to determine which domain your script is running on, you can safely use HTTP_HOST as long as invalid values coming from a malicious user can't break anything.
It took me a while to understand what people meant by SERVER_NAME is more reliable. I use a shared server and does not have access to virtual host directives. So, I use mod_rewrite in .htaccess to map different HTTP_HOSTs to different directories. In that case, it is HTTP_HOST that is meaningful. The situation is similar if one uses name-based virtual hosts : the server_name directive within a virtual host simply says which HTTP_HOST will be mapped to this virtual host. The bottom line is that, in both cases, the "server name" provided by the client, which is actually called HTTP_HOST, must be matched with a name within the server, which is itself mapped to a directory. Whether the mapping is done with virtual host directives or with htaccess mod_rewrite rules is secondary here. In both cases, the HTTP_HOST must be the SERVER_NAME. I am glad that Apache is configured that way. However, the situation is different with IP-based virtual hosts. In this case and only in this case, SERVER_NAME and HTTP_HOST can be different, because now the client selects the server by the IP, not by the name. Indeed, there might be special configurations where this is important. So, starting from now, I will use SERVER_NAME, just in case my code is ported in these special configurations.
Please note that if you want to use IPv6, you probably want to use HTTP_HOST rather than SERVER_NAME . If you enter http://[::1]/ the environment variables will be the following:
HTTP_HOST = [::1] SERVER_NAME = ::1
This means, that if you do a mod_rewrite for example, you might get a nasty result. Example for a SSL redirect:
# SERVER_NAME will NOT work - Redirection to https://::1/ RewriteRule .* https://%{SERVER_NAME}/
# HTTP_HOST will work - Redirection to https://[::1]/ RewriteRule .* https://%{HTTP_HOST}/
This applies ONLY if you access the server without an hostname.
HTTP_HOST is the target host sent by the client. It can be manipulated freely by the user. It's no problem to send a request to your site asking for a HTTP_HOST value of www.stackoverflow.com.
ReplyDeleteSERVER_NAME comes from the server's VirtualHost definition and is therefore considered more reliable. It can, however, also be manipulated from outside under certain conditions related to how your web server is set up: See this This SO question that deals with the security aspects of both variations.
You shouldn't rely on either to be safe. That said, what to use really depends on what you want to do. If you want to determine which domain your script is running on, you can safely use HTTP_HOST as long as invalid values coming from a malicious user can't break anything.
Depends what I want to find out. SERVER_NAME is the host name of the server, whilst HTTP_HOST is the virtual host that the client connected to.
ReplyDeleteif you want to check through a server.php or what ever you want to call it with the following:
ReplyDelete<?php
phpinfo(INFO_VARIABLES);
?>
or
<?php
header("Content-type: text/plain");
print_r($_SERVER);
?>
Then access it with all the valid urls for your site and check out the difference.
It took me a while to understand what people meant by SERVER_NAME is more reliable. I use a shared server and does not have access to virtual host directives. So, I use mod_rewrite in .htaccess to map different HTTP_HOSTs to different directories. In that case, it is HTTP_HOST that is meaningful. The situation is similar if one uses name-based virtual hosts : the server_name directive within a virtual host simply says which HTTP_HOST will be mapped to this virtual host. The bottom line is that, in both cases, the "server name" provided by the client, which is actually called HTTP_HOST, must be matched with a name within the server, which is itself mapped to a directory. Whether the mapping is done with virtual host directives or with htaccess mod_rewrite rules is secondary here. In both cases, the HTTP_HOST must be the SERVER_NAME. I am glad that Apache is configured that way. However, the situation is different with IP-based virtual hosts. In this case and only in this case, SERVER_NAME and HTTP_HOST can be different, because now the client selects the server by the IP, not by the name. Indeed, there might be special configurations where this is important. So, starting from now, I will use SERVER_NAME, just in case my code is ported in these special configurations.
ReplyDeletePlease note that if you want to use IPv6, you probably want to use HTTP_HOST rather than SERVER_NAME . If you enter http://[::1]/ the environment variables will be the following:
ReplyDeleteHTTP_HOST = [::1]
SERVER_NAME = ::1
This means, that if you do a mod_rewrite for example, you might get a nasty result. Example for a SSL redirect:
# SERVER_NAME will NOT work - Redirection to https://::1/
RewriteRule .* https://%{SERVER_NAME}/
# HTTP_HOST will work - Redirection to https://[::1]/
RewriteRule .* https://%{HTTP_HOST}/
This applies ONLY if you access the server without an hostname.