Skip to main content

HTTP_HOST vs. SERVER_NAME


When would you consider using one over the other and why?



Source: Tips4allCCNA FINAL EXAM

Comments

  1. HTTP_HOST is the target host sent by the client. It can be manipulated freely by the user. It's no problem to send a request to your site asking for a HTTP_HOST value of www.stackoverflow.com.

    SERVER_NAME comes from the server's VirtualHost definition and is therefore considered more reliable. It can, however, also be manipulated from outside under certain conditions related to how your web server is set up: See this This SO question that deals with the security aspects of both variations.

    You shouldn't rely on either to be safe. That said, what to use really depends on what you want to do. If you want to determine which domain your script is running on, you can safely use HTTP_HOST as long as invalid values coming from a malicious user can't break anything.

    ReplyDelete
  2. Depends what I want to find out. SERVER_NAME is the host name of the server, whilst HTTP_HOST is the virtual host that the client connected to.

    ReplyDelete
  3. if you want to check through a server.php or what ever you want to call it with the following:

    <?php

    phpinfo(INFO_VARIABLES);

    ?>


    or

    <?php

    header("Content-type: text/plain");

    print_r($_SERVER);

    ?>


    Then access it with all the valid urls for your site and check out the difference.

    ReplyDelete
  4. It took me a while to understand what people meant by SERVER_NAME is more reliable. I use a shared server and does not have access to virtual host directives. So, I use mod_rewrite in .htaccess to map different HTTP_HOSTs to different directories. In that case, it is HTTP_HOST that is meaningful. The situation is similar if one uses name-based virtual hosts : the server_name directive within a virtual host simply says which HTTP_HOST will be mapped to this virtual host. The bottom line is that, in both cases, the "server name" provided by the client, which is actually called HTTP_HOST, must be matched with a name within the server, which is itself mapped to a directory. Whether the mapping is done with virtual host directives or with htaccess mod_rewrite rules is secondary here. In both cases, the HTTP_HOST must be the SERVER_NAME. I am glad that Apache is configured that way. However, the situation is different with IP-based virtual hosts. In this case and only in this case, SERVER_NAME and HTTP_HOST can be different, because now the client selects the server by the IP, not by the name. Indeed, there might be special configurations where this is important. So, starting from now, I will use SERVER_NAME, just in case my code is ported in these special configurations.

    ReplyDelete
  5. Please note that if you want to use IPv6, you probably want to use HTTP_HOST rather than SERVER_NAME . If you enter http://[::1]/ the environment variables will be the following:

    HTTP_HOST = [::1]
    SERVER_NAME = ::1


    This means, that if you do a mod_rewrite for example, you might get a nasty result. Example for a SSL redirect:

    # SERVER_NAME will NOT work - Redirection to https://::1/
    RewriteRule .* https://%{SERVER_NAME}/

    # HTTP_HOST will work - Redirection to https://[::1]/
    RewriteRule .* https://%{HTTP_HOST}/


    This applies ONLY if you access the server without an hostname.

    ReplyDelete

Post a Comment

Popular posts from this blog

Why is this Javascript much *slower* than its jQuery equivalent?

I have a HTML list of about 500 items and a "filter" box above it. I started by using jQuery to filter the list when I typed a letter (timing code added later): $('#filter').keyup( function() { var jqStart = (new Date).getTime(); var search = $(this).val().toLowerCase(); var $list = $('ul.ablist > li'); $list.each( function() { if ( $(this).text().toLowerCase().indexOf(search) === -1 ) $(this).hide(); else $(this).show(); } ); console.log('Time: ' + ((new Date).getTime() - jqStart)); } ); However, there was a couple of seconds delay after typing each letter (particularly the first letter). So I thought it may be slightly quicker if I used plain Javascript (I read recently that jQuery's each function is particularly slow). Here's my JS equivalent: document.getElementById('filter').addEventListener( 'keyup', function () { var jsStart = (new Date).getTime()...

Is it possible to have IF statement in an Echo statement in PHP

Thanks in advance. I did look at the other questions/answers that were similar and didn't find exactly what I was looking for. I'm trying to do this, am I on the right path? echo " <div id='tabs-".$match."'> <textarea id='".$match."' name='".$match."'>". if ($COLUMN_NAME === $match) { echo $FIELD_WITH_COLUMN_NAME; } else { } ."</textarea> <script type='text/javascript'> CKEDITOR.replace( '".$match."' ); </script> </div>"; I am getting the following error message in the browser: Parse error: syntax error, unexpected T_IF Please let me know if this is the right way to go about nesting an IF statement inside an echo. Thank you.