What is the difference between HTTP HOST and SERVER NAME in PHP

Question

What is the difference between   SERVER  HTTP HOST   and   SERVER  SERVER NAME   in PHP  When would you consider using one over the other and why

User · Answer

As I mentioned in this answer  if the server runs on a port other than 80  as might be common on a development intranet machine  then HTTP HOST contains the port  while SERVER NAME does not     SERVER  HTTP HOST       localhost 8080    SERVER  SERVER NAME       localhost     At least that s what I ve noticed in Apache port-based virtualhosts   Note that HTTP HOST does not contain  443 when running on HTTPS  unless you re running on a non-standard port  which I haven t tested    As others have noted  the two also differ when using IPv6     SERVER  HTTP HOST          1     SERVER  SERVER NAME         1

User · Answer

The HTTP HOST is obtained from the HTTP request header and this is what the client actually used as  target host  of the request  The SERVER NAME is defined in server config  Which one to use depends on what you need it for  You should now however realize that the one is a client-controlled value which may thus not be reliable for use in business logic and the other is a server-controlled value which is more reliable  You however need to ensure that the webserver in question has the SERVER NAME correctly configured  Taking Apache HTTPD as an example  here s an extract from its documentation      If no ServerName is specified  then the server attempts to deduce the hostname by performing a reverse lookup on the IP address  If no port is specified in the ServerName  then the server will use the port from the incoming request  For optimal reliability and predictability  you should specify an explicit hostname and port using the ServerName directive      Update  after checking the answer of Pekka on your question which contains a link to bobince s answer that PHP would always return HTTP HOST s value for SERVER NAME  which goes against my own PHP 4 x   Apache HTTPD 1 2 x experiences from a couple of years ago  I blew some dust from my current XAMPP environment on Windows XP  Apache HTTPD 2 2 1 with PHP 5 2 8   started it  created a PHP page which prints the both values  created a Java test application using URLConnection to modify the Host header and tests taught me that this is indeed  incorrectly  the case   After first suspecting PHP and digging in some PHP bug reports regarding the subject  I learned that the root of the problem is in web server used  that it incorrectly returned HTTP Host header when SERVER NAME was requested  So I dug into Apache HTTPD bug reports using various keywords regarding the subject and I finally found a related bug  This behaviour was introduced since around Apache HTTPD 1 3  You need to set UseCanonicalName directive to on in the  lt VirtualHost gt  entry of the ServerName in httpd conf  also check the warning at the bottom of the document      lt VirtualHost   gt      ServerName example com     UseCanonicalName on  lt  VirtualHost gt     This worked for me    Summarized  SERVER NAME is more reliable  but you re dependent on the server config

User · Answer

Assuming one has a simple setup  CentOS 7  Apache 2 4 x  and PHP 5 6 20  and only one website  not assuming virtual hosting      In the PHP sense    SERVER  SERVER NAME   is an element PHP registers in the   SERVER superglobal based on your Apache configuration    ServerName   directive with UseCanonicalName On   in httpd conf  be it from an included virtual host configuration file  whatever  etc       HTTP HOST is derived from the HTTP host header  Treat this as user input  Filter and validate before using  Here is an example of where I use   SERVER  SERVER NAME   as the basis for a comparison  The following method is from a concrete child class I made named ServerValidator  child of Validator   ServerValidator checks six or seven elements in   SERVER before using them  In determining if the HTTP request is POST  I use this method  public function isPOST         return    this- gt requestMethod      POST       amp  amp      Ignore              this- gt hasTokenTimeLeft               amp  amp      Ignore              this- gt hasSameGETandPOSTIdentities    amp  amp      Ingore               this- gt httpHost     filter input INPUT SERVER   SERVER NAME         By the time this method is called  all filtering and validating of relevant   SERVER elements would have occurred  and relevant properties set   The line       this- gt httpHost     filter input INPUT SERVER   SERVER NAME        checks that the   SERVER  HTTP HOST   value  ultimately derived from the requested host HTTP header  matches   SERVER  SERVER NAME    Now  I am using superglobal speak to explain my example  but that is just because some people are unfamiliar with INPUT GET  INPUT POST  and INPUT SERVER in regards to filter input array    The bottom line is  I do not handle POST requests on my server unless all four conditions are met  Hence  in terms of POST requests  failure to provide an HTTP host header  presence tested for earlier  spells doom for strict HTTP 1 0 browsers  Moreover  the requested host must match the value for ServerName in the httpd conf  and  by extention  the value for   SERVER  SERVER NAME   in the   SERVER superglobal  Again  I would be using INPUT SERVER with the PHP filter functions  but you catch my drift  Keep in mind that Apache frequently uses ServerName in standard redirects  such as leaving the trailing slash off a URL  Example  http   www example com becoming http   www example com    even if you are not using URL rewriting  I use   SERVER  SERVER NAME   as the standard  not   SERVER  HTTP HOST    There is a lot of back and forth on this issue     SERVER  HTTP HOST   could be empty  so this should not be the basis for creating code conventions such as my public method above  But  just because both may be set does not guarantee they will be equal  Testing is the best way to know for sure  bearing in mind Apache version and PHP version

User · Answer

SERVER  SERVER NAME   is based on your web servers configuration    SERVER  HTTP HOST   is based on the request from the client

User · Answer

If you want to check through a server php or whatever  you want to call it  with the following    lt  php     phpinfo INFO VARIABLES     gt    or   lt  php     header  Content-type  text plain         print r   SERVER     gt    Then access it with all the valid URLs for your site and check out the difference

User · Answer

Depends what I want to find out  SERVER NAME is the host name of the server  whilst HTTP HOST is the virtual host that the client connected to

User · Answer

It took me a while to understand what people meant by 'SERVER_NAME is more reliable'. I use a shared server and does not have access to virtual host directives. So, I use mod_rewrite in .htaccess to map different HTTP_HOSTs to different directories. In that case, it is HTTP_HOST that is meaningful.

The situation is similar if one uses name-based virtual hosts: the ServerName directive within a virtual host simply says which hostname will be mapped to this virtual host. The bottom line is that, in both cases, the hostname provided by the client during the request (HTTP_HOST), must be matched with a name within the server, which is itself mapped to a directory. Whether the mapping is done with virtual host directives or with htaccess mod_rewrite rules is secondary here. In these cases, HTTP_HOST will be the same as SERVER_NAME. I am glad that Apache is configured that way.

However, the situation is different with IP-based virtual hosts. In this case and only in this case, SERVER_NAME and HTTP_HOST can be different, because now the client selects the server by the IP, not by the name. Indeed, there might be special configurations where this is important.

So, starting from now, I will use SERVER_NAME, just in case my code is ported in these special configurations.

User · Answer

HTTP HOST is the target host sent by the client  It can be manipulated freely by the user  It s no problem to send a request to your site asking for a HTTP HOST value of www stackoverflow com   SERVER NAME comes from the server s VirtualHost definition and is therefore considered more reliable  It can  however  also be manipulated from outside under certain conditions related to how your web server is set up  See this This SO question that deals with the security aspects of both variations    You shouldn t rely on either to be safe  That said  what to use really depends on what you want to do  If you want to determine which domain your script is running on  you can safely use HTTP HOST as long as invalid values coming from a malicious user can t break anything

User · Answer

As balusC said SERVER NAME is not reliable and can be changed in apache config   server name config of server and firewall that can be between you and server   Following function always return real host  user typed host  without port and it s almost reliable    function getRealHost       list  realHost   explode       SERVER  HTTP HOST        return  realHost

User · Answer

Please note that if you want to use IPv6, you probably want to use HTTP_HOST rather than SERVER_NAME . If you enter http://[::1]/ the environment variables will be the following:

HTTP_HOST = [::1]
SERVER_NAME = ::1

This means, that if you do a mod_rewrite for example, you might get a nasty result. Example for a SSL redirect:

# SERVER_NAME will NOT work - Redirection to https://::1/
RewriteRule .* https://%{SERVER_NAME}/

# HTTP_HOST will work - Redirection to https://[::1]/
RewriteRule .* https://%{HTTP_HOST}/

This applies ONLY if you access the server without an hostname.

[php] What is the difference between HTTP_HOST and SERVER_NAME in PHP?

The answer is

Examples related to php

Examples related to apache

Examples related to server-variables

Tags