Can $_SERVER['SERVER_NAME'] be forged/faked?

Asked 9/7, 2012 at 1:43 Answered 9/7, 2012 at 1:55

Can the PHP variable $_SERVER['SERVER_NAME'] be forged or faked? I was planning on using that as a security measure for form posting. I would check to make sure that variable is my site name (www.example.com). I know HTTP_REFERRER can be faked, but I wasn't sure on this one.

Thanks!

Mauretta answered 9/7, 2012 at 1:43 Comment(1)

No matter what it'll always be the same.. your server. Not the server the request came from. – Schuck 9/7, 2012 at 1:45

Actually $_SERVER['SERVER_NAME'] can be affected by what the client browser sends over... See http://shiflett.org/blog/2006/mar/server-name-versus-http-host for a through investigation on the issue.

Preach answered 9/7, 2012 at 1:53 Comment(2)

Thanks for the link to this blog post. It however mentions the possibility to influence SERVER_NAME with sending HTTP_HOST header in a scenario where the apache webserver is "misconfigured". Are you aware of any other way to influence this value if the web server is configured correctly/securely? – Catalog 21/5, 2021 at 15:42

Not that I know off, but the problem is, that setting in Apache is set to insecure by default (httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname), so I guess a lot of people will not realize that they need to change that value to make it secure. – Preach 3/6, 2021 at 2:58

By a visitor it can't normally be faked out. But I suspect you would want to enforce a certain SERVER_NAME to license scripts so they can only be used by particular domains. In this case the answer is yes, this variable can definitely be faked.

The reason is simple, the server sets this value. In most cases you would have PHP running as an Apache module, but sometimes you have other Apache modules, sometime you have PHP running in CGI mode with NGINX or IIS, sometimes you even have PHP running as CLI forked as a child process by a custom-built server deployed in a cloud. Those servers would be responsible for setting that variable.

Plus, there's always the manual assignment.

 $_SERVER['SERVER_NAME'] = ... // this can go above all your scripts

Outofdoor answered 9/7, 2012 at 1:55 Comment(0)

It can't be faked, persay, but it will always return your site name. It is useful if you are running multiple sites off of the same script and, for example, use a different database depending on the host name provided.

The PHP documentation says:

'SERVER_NAME'
    The name of the server host under which the current script is executing. If the script is running on a virtual host, this will be the value defined for that virtual host.

Riven answered 9/7, 2012 at 1:44 Comment(1)

You're confusing SERVER_NAME with HTTP_HOST. – Venule 9/7, 2012 at 1:46

Recommended topics

Hot tags