193

I did a lot of searching and also read the PHP $_SERVER docs. Do I have this right regarding which to use for my PHP scripts for simple link definitions used throughout my site?

$_SERVER['SERVER_NAME'] is based on your web server's config file (Apache2 in my case), and varies depending on a few directives: (1) VirtualHost, (2) ServerName, (3) UseCanonicalName, etc.

$_SERVER['HTTP_HOST'] is based on the request from the client.

Therefore, it would seem to me that the proper one to use in order to make my scripts as compatible as possible would be $_SERVER['HTTP_HOST']. Is this assumption correct?

Followup comments:

I guess I got a little paranoid after reading this article and noting that some folks said "they wouldn't trust any of the $_SERVER vars":

Apparently the discussion is mainly about $_SERVER['PHP_SELF'] and why you shouldn't use it in the form action attribute without proper escaping to prevent XSS attacks.

My conclusion about my original question above is that it is "safe" to use $_SERVER['HTTP_HOST'] for all links on a site without having to worry about XSS attacks, even when used in forms.

Please correct me if I'm wrong.

Improve this question

9 Answers 9

Reset to default
171

That’s probably everyone’s first thought. But it’s a little bit more difficult. See Chris Shiflett’s article SERVER_NAME Versus HTTP_HOST.

It seems that there is no silver bullet. Only when you force Apache to use the canonical name you will always get the right server name with SERVER_NAME.

So you either go with that or you check the host name against a white list:

$allowed_hosts = array('foo.example.com', 'bar.example.com'); if (!isset($_SERVER['HTTP_HOST']) || !in_array($_SERVER['HTTP_HOST'], $allowed_hosts)) { header($_SERVER['SERVER_PROTOCOL'].' 400 Bad Request'); exit; }
Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Lol, I read that article and it didn't really seem to answer my question. Which one do the pro devs use? If either.
Iiiiinteresting, I never knew SERVER_NAME used the user-supplied values by default in Apache.
@Jeff, For servers that host more than one sub/domain, you have only two choices $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] (aside from implementing some other custom handshake based on the user request). Pro devs do not trust the things they don't understand completely. So they either have their SAPI setup perfectly correctly (in which case the option they use will give the correct result), or they'll do whitelisting such that it doesn't matter what values the SAPI supply.
@Pacerier array_key_exists and in_array do different things, former checks for keys, latter values, so you can't just interchange them. Also, if you have an array of two values, you shouldn't really be worried about O(n) performance...
I know this is an old question, but if your goal is to use global server variables, why not specify them with environment variables that you control? Dotenv, etc.
|
92

Just an additional note - if the server runs on a port other than 80 (as might be common on a development/intranet machine) then HTTP_HOST contains the port, while SERVER_NAME does not.

$_SERVER['HTTP_HOST'] == 'localhost:8080' $_SERVER['SERVER_NAME'] == 'localhost'

(At least that's what I've noticed in Apache port-based virtualhosts)

As Mike has noted below, HTTP_HOST does not contain :443 when running on HTTPS (unless you're running on a non-standard port, which I haven't tested).

Improve this answer

3 Comments

Note: The port is not present in HTTP_HOST for 443 either (default SSL port).
So in other words, the value of HTTP_HOST is not exactly the Host: parameter the user supplied. It;s merely based on that.
@Pacerier No, this is the opposite: HTTP_HOST is exactly the Host: field that was supplied with the HTTP request. The port is part of it and browsers don't mention it when it is the default one (80 for HTTP; 443 for HTTPS)
32

Use either. They are both equally (in)secure, as in many cases SERVER_NAME is just populated from HTTP_HOST anyway. I normally go for HTTP_HOST, so that the user stays on the exact host name they started on. For example if I have the same site on a .com and .org domain, I don't want to send someone from .org to .com, particularly if they might have login tokens on .org that they'd lose if sent to the other domain.

Either way, you just need to be sure that your webapp will only ever respond for known-good domains. This can be done either (a) with an application-side check like Gumbo's, or (b) by using a virtual host on the domain name(s) you want that does not respond to requests that give an unknown Host header.

The reason for this is that if you allow your site to be accessed under any old name, you lay yourself open to DNS rebinding attacks (where another site's hostname points to your IP, a user accesses your site with the attacker's hostname, then the hostname is moved to the attacker's IP, taking your cookies/auth with it) and search engine hijacking (where an attacker points their own hostname at your site and tries to make search engines see it as the ‘best’ primary hostname).

Apparently the discussion is mainly about $_SERVER['PHP_SELF'] and why you shouldn't use it in the form action attribute without proper escaping to prevent XSS attacks.

Pfft. Well you shouldn't use anything in any attribute without escaping with htmlspecialchars($string, ENT_QUOTES), so there's nothing special about server variables there.

Improve this answer

3 Comments

Stay with solution (a), (b) is not really safe, using absolute URI in HTTP requests allows for name based virtualhosts security bypass. So the real rule is never trust SERVER_NAME or HTTP_HOST.
@bobince, How does the mentioned search engine hijacking work? Search engines map words to domain urls, they don't deal with IPs. So why do you say that "an attacker can make search engines see attacker.com as the best primary source for your server's IP" mean? That doesn't seem to mean anything to search engines, What's that even going to do?
Google certainly had (and probably still has in some form) the concept of dupe sites, so that if your site is accessible as http://example.com/, http://www.example.com/ and http://93.184.216.34/ it would combine them into one site, choose the most popular of the addresses, and only return links to that version. If you could point evil-example.comat the same address and make Google briefly see that as the more popular address you could steal the site's juice. I don't know how practical this is today but I've seen Russian link farm attackers try to do it in the past.
27

This is a verbose translation of what Symfony uses to get the host name (see the second example for a more literal translation):

function getHost() { $possibleHostSources = array('HTTP_X_FORWARDED_HOST', 'HTTP_HOST', 'SERVER_NAME', 'SERVER_ADDR'); $sourceTransformations = array( "HTTP_X_FORWARDED_HOST" => function($value) { $elements = explode(',', $value); return trim(end($elements)); } ); $host = ''; foreach ($possibleHostSources as $source) { if (!empty($host)) break; if (empty($_SERVER[$source])) continue; $host = $_SERVER[$source]; if (array_key_exists($source, $sourceTransformations)) { $host = $sourceTransformations[$source]($host); } } // Remove port number from host $host = preg_replace('/:\d+$/', '', $host); return trim($host); }

Outdated:

This is my translation to bare PHP of a method used in Symfony framework that tries to get the hostname from every way possible in order of best practice:

function get_host() { if ($host = $_SERVER['HTTP_X_FORWARDED_HOST']) { $elements = explode(',', $host); $host = trim(end($elements)); } else { if (!$host = $_SERVER['HTTP_HOST']) { if (!$host = $_SERVER['SERVER_NAME']) { $host = !empty($_SERVER['SERVER_ADDR']) ? $_SERVER['SERVER_ADDR'] : ''; } } } // Remove port number from host $host = preg_replace('/:\d+$/', '', $host); return trim($host); }
Improve this answer

12 Comments

@StefanNch Please define "this way".
@showdev I really find "hard" to read condition statement like if ($host = $_SERVER['HTTP_X_FORWARDED_HOST']) or x = a == 1 ? True : False. First time I've saw it my brain was looking for $host instantiation and an answer for "why is only one "=" sign?". I'm starting to dislike weak typing programming languages. Everything is written differently. You don't save time and you're not special. I don't write code this way, because after time passes, I'm the one who needs to debug it. Looks really messy for a tired brain! I know my english is engrish, but at least i try.
guys, I simply ported the code from Symfony. This is the way I took it. For all it matters - it works and it seems quite thorough. I, myself, also thing this is not readable enough but I haven't had time to rewrite it completely.
Looks fine to me. Those are ternary operators and actually can save time (and bytes) without diminishing readability, when used appropriately.
@antitoxic, -1 Symfony coders (like many others) don't exactly know what they are doing in this case. This doesn't give you the host name (see Simon's answer). This merely give you a best guess which will be wrong many times.
|
12

Is it "safe" to use $_SERVER['HTTP_HOST'] for all links on a site without having to worry about XSS attacks, even when used in forms?

Yes, it's safe to use $_SERVER['HTTP_HOST'], (and even $_GET and $_POST) as long as you verify them before accepting them. This is what I do for secure production servers:

/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ $reject_request = true; if(array_key_exists('HTTP_HOST', $_SERVER)){ $host_name = $_SERVER['HTTP_HOST']; // [ need to cater for `host:port` since some "buggy" SAPI(s) have been known to return the port too, see https://stackoverflow.com/questions/1459739/php-serverhttp-host-vs-serverserver-name-am-i-understanding-the-ma/12046836#12046836 $strpos = strpos($host_name, ':'); if($strpos !== false){ $host_name = substr($host_name, $strpos); } // ] // [ for dynamic verification, replace this chunk with db/file/curl queries $reject_request = !array_key_exists($host_name, array( 'a.com' => null, 'a.a.com' => null, 'b.com' => null, 'b.b.com' => null )); // ] } if($reject_request){ // log errors // display errors (optional) exit; } /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ echo 'Hello World!'; // ...

The advantage of $_SERVER['HTTP_HOST'] is that its behavior is more well-defined than $_SERVER['SERVER_NAME']. Contrast ➫➫:

Contents of the Host: header from the current request, if there is one.

with:

The name of the server host under which the current script is executing.

Using a better defined interface like $_SERVER['HTTP_HOST'] means that more SAPIs will implement it using reliable well-defined behavior. (Unlike the other.) However, it is still totally SAPI dependent ➫➫:

There is no guarantee that every web server will provide any of these [$_SERVER entries]; servers may omit some, or provide others not listed here.

To understand how to properly retrieve the host name, first and foremost you need to understand that a server which contains only code has no means of knowing (pre-requisite for verifying) its own name on the network. It needs to interface with a component that supplies it its own name. This can be done via:

  • local config file

  • local database

  • hardcoded source code

  • external request (curl)

  • client/attacker's Host: request

  • etc

Usually its done via the local (SAPI) config file. Note that you have configured it correctly, e.g. in Apache ➫➫:

A couple of things need to be 'faked' to make the dynamic virtual host look like a normal one.

The most important is the server name which is used by Apache to generate self-referential URLs, etc. It is configured with the ServerName directive, and it is available to CGIs via the SERVER_NAME environment variable.

The actual value used at run time is controlled by the UseCanonicalName setting.

With UseCanonicalName Off the server name comes from the contents of the Host: header in the request. With UseCanonicalName DNS it comes from a reverse DNS lookup of the virtual host's IP address. The former setting is used for name-based dynamic virtual hosting, and the latter is used for** IP-based hosting.

If Apache cannot work out the server name because there is no Host: header or the DNS lookup fails then the value configured with ServerName is used instead.

Improve this answer

3 Comments

I would recommend using isset rather than array_key_exists (always). isset is a language construct, while array_key_exists performs a loop of all elements of the array. It may be a tiny overhead but unless there's a reason to use a slower process it's best avoided in my opinion. I'm always interested in improving though.
@AndyGee array_key_exists is a hash lookup not a loop, just like isset. I think you're thinking of in_array.
@Anther Yes you're correct, they do both do a hash lookup, thanks. As a language construct though isset has less code to traverse making it significantly faster. I feel this is a little off topic now, and there's nothing wrong with the answer - more of a general consensus point really.
8

The major difference between the two is that $_SERVER['SERVER_NAME'] is a server controlled variable, while $_SERVER['HTTP_HOST'] is a user-controlled value.

The rule of thumb is to never trust values from the user, so $_SERVER['SERVER_NAME'] is the better choice.

As Gumbo pointed out, Apache will construct SERVER_NAME from user-supplied values if you don't set UseCanonicalName On.

Edit: Having said all that, if the site is using a name-based virtual host, the HTTP Host header is the only way to reach sites that aren't the default site.

Improve this answer

4 Comments

Understood. My hangup is "how could a user alter the value of $_SERVER['HTTP_HOST']?" Is it even possible?
A user can alter that because it's just the contents of the Host header from the incoming request. The main server (or the VirtualHost bound to default:80) will respond to all unknown hosts, thus the contents of the Host tag on that site could be set to anything.
Note that IP-based virtual hosts will ALWAYS respond on their specific IP, so you cannot under any circumstances trust the HTTP Host value on them.
@Jeff, It's like asking "It is possible to call pizza hut's phone number and request to speak to KFC staff?" Sure of course you can request anything you want. @Powerlord, This has nothing to do with IP-based virtual hosts. Your server, regardless of IP-based virtual host or not, cannot under any circumstances trust the HTTP's Host: value unless you have already verified it, either manually or via your SAPI's setup.
4

I am not sure and not really trust $_SERVER['HTTP_HOST'] because it depend on header from client. In another way, if a domain requested by client is not mine one, they will not getting into my site because DNS and TCP/IP protocol point it to the correct destination. However I don't know if possible to hijack the DNS, network or even Apache server. To be safe, I define host name in environment and compare it with $_SERVER['HTTP_HOST'].

Add SetEnv MyHost domain.com in .htaccess file on root and add ths code in Common.php

if (getenv('MyHost')!=$_SERVER['HTTP_HOST']) { header($_SERVER['SERVER_PROTOCOL'].' 400 Bad Request'); exit(); }

I include this Common.php file in every php page. This page doing anything required for each request like session_start(), modify session cookie and reject if post method come from different domain.

Improve this answer

1 Comment

Of course it's possible to bypass DNS. An attacker can simply issue a fradulent Host: value directly to your server's IP.
1

XSS will always be there even if you use $_SERVER['HTTP_HOST'], $_SERVER['SERVER_NAME'] OR $_SERVER['PHP_SELF']

Improve this answer

Comments

1

First I want to thank you for all the good answers and explanations. This is the method I created based upon all your answer to get the base url. I only use it in very rare situations. So there is NOT a big focus on security issues, like XSS attacks. Maybe someone needs it.

// Get base url function getBaseUrl($array=false) { $protocol = ""; $host = ""; $port = ""; $dir = ""; // Get protocol if(array_key_exists("HTTPS", $_SERVER) && $_SERVER["HTTPS"] != "") { if($_SERVER["HTTPS"] == "on") { $protocol = "https"; } else { $protocol = "http"; } } elseif(array_key_exists("REQUEST_SCHEME", $_SERVER) && $_SERVER["REQUEST_SCHEME"] != "") { $protocol = $_SERVER["REQUEST_SCHEME"]; } // Get host if(array_key_exists("HTTP_X_FORWARDED_HOST", $_SERVER) && $_SERVER["HTTP_X_FORWARDED_HOST"] != "") { $host = trim(end(explode(',', $_SERVER["HTTP_X_FORWARDED_HOST"]))); } elseif(array_key_exists("SERVER_NAME", $_SERVER) && $_SERVER["SERVER_NAME"] != "") { $host = $_SERVER["SERVER_NAME"]; } elseif(array_key_exists("HTTP_HOST", $_SERVER) && $_SERVER["HTTP_HOST"] != "") { $host = $_SERVER["HTTP_HOST"]; } elseif(array_key_exists("SERVER_ADDR", $_SERVER) && $_SERVER["SERVER_ADDR"] != "") { $host = $_SERVER["SERVER_ADDR"]; } //elseif(array_key_exists("SSL_TLS_SNI", $_SERVER) && $_SERVER["SSL_TLS_SNI"] != "") { $host = $_SERVER["SSL_TLS_SNI"]; } // Get port if(array_key_exists("SERVER_PORT", $_SERVER) && $_SERVER["SERVER_PORT"] != "") { $port = $_SERVER["SERVER_PORT"]; } elseif(stripos($host, ":") !== false) { $port = substr($host, (stripos($host, ":")+1)); } // Remove port from host $host = preg_replace("/:\d+$/", "", $host); // Get dir if(array_key_exists("SCRIPT_NAME", $_SERVER) && $_SERVER["SCRIPT_NAME"] != "") { $dir = $_SERVER["SCRIPT_NAME"]; } elseif(array_key_exists("PHP_SELF", $_SERVER) && $_SERVER["PHP_SELF"] != "") { $dir = $_SERVER["PHP_SELF"]; } elseif(array_key_exists("REQUEST_URI", $_SERVER) && $_SERVER["REQUEST_URI"] != "") { $dir = $_SERVER["REQUEST_URI"]; } // Shorten to main dir if(stripos($dir, "/") !== false) { $dir = substr($dir, 0, (strripos($dir, "/")+1)); } // Create return value if(!$array) { if($port == "80" || $port == "443" || $port == "") { $port = ""; } else { $port = ":".$port; } return htmlspecialchars($protocol."://".$host.$port.$dir, ENT_QUOTES); } else { return ["protocol" => $protocol, "host" => $host, "port" => $port, "dir" => $dir]; } }
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.