PHP $_SERVER[‘HTTP_HOST’] vs. $_SERVER[‘SERVER_NAME’], am I understanding the man pages correctly?

That’s probably everyone’s first thought. But it’s a little bit more difficult. See Chris Shiflett’s article SERVER_NAME Versus HTTP_HOST.

It seems that there is no silver bullet. Only when you force Apache to use the canonical name you will always get the right server name with SERVER_NAME.

So you either go with that or you check the host name against a white list:

$allowed_hosts = array('foo.example.com', 'bar.example.com');
if (!isset($_SERVER['HTTP_HOST']) || !in_array($_SERVER['HTTP_HOST'], $allowed_hosts)) {
    header($_SERVER['SERVER_PROTOCOL'].' 400 Bad Request');
    exit;
}

Related Posts:

  1. How to run php files on my computer
  2. Whats the point of running Laravel with the command ‘php artisan serve’?
  3. Enable PHP Apache2
  4. Apache is downloading php files instead of displaying them
  5. PHP code is not being executed, but the code shows in the browser source code
  6. How to configure self hosted wordpress so that everything can be upgraded/installed from dashboard
  7. WordPress multisite causing Error 101 (net::ERR_CONNECTION_RESET): Unknown error [duplicate]
  8. Evaluations of two wordpress security plans against php code injection attack
  9. .htaccess redirect http to https
  10. How do I resolve a HTTP 414 “Request URI too long” error?
  11. 404 Not Found The requested URL was not found on this server
  12. Simplest two-way encryption using PHP
  13. What is the difference between the ‘www’ folder and ‘htdocs’ folder?
  14. XAMPP, Apache – Error: Apache shutdown unexpectedly
  15. SSL error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
  16. client denied by server configuration
  17. XAMPP: Connecting to localhost fix? [Persistent]
  18. Request exceeded the limit of 10 internal redirects due to probable configuration error
  19. How do you redirect HTTPS to HTTP?
  21. lbmethod_heartbeat:notice – No slotmem from mod_heartmonitor –error after installing apache2.4.2 [closed]
  22. XAMPP installation on Win 8.1 with UAC Warning
  23. org.apache.jasper.JasperException
  24. How can I force users to access my page over HTTPS instead of HTTP?
  25. Getting a 500 Internal Server Error on Laravel 5+ Ubuntu 14.04
  26. WAMP won’t turn green. And the VCRUNTIME140.dll error
  27. .htaccess: Invalid command ‘RewriteEngine’, perhaps misspelled or defined by a module not included in the server configuration
  28. WordPress broken app to try wpscan kali tool
  29. wordpress login wp-login.php change url
  30. Enforcing password complexity
  31. cURL 28 error after switch from to brew php 7.2 on localhost
  32. How do I get the right permissions for WordPress running Apache on Debian
  33. How can I improve site/page performance of WordPress websites?
  34. How to run multiple Async HTTP requests in WordPress?
  35. WP CLI info showing correct PHP binary but wrong version of PHP
  36. Renaming wp-content folder dynamically
  37. How do I create a WP user outside of WordPress and auto login?
  38. Best practices for making a WordPress site “movable”?
  39. Which ways can be used to log in to WordPress?
  40. Installing WordPress in a Sub-Folder (not in root) on Localhost
  41. Is it unsafe to put php in the /wp-content/uploads directory?
  42. What’s the proper way to setup WP-CLI on Ubuntu so that I don’t have to use the flag –allow-root?
  43. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  44. Is it possible to move wordpress out of webroot?
  45. login wp impossible
  46. WordPress (3.9.1) MultiSite Permissions. Is chown the answer?
  47. How do I test to ensure that my wp-config file is protected?
  48. Is XAMPP faster than running LAMP in WSL on Windows 10? [closed]
  49. WordPress custom login form using Ajax
  50. Detect session/cookie variable in wordpress to prevent access to documents
  51. SQL Injection blocked by firewall
  52. How to prevent XSS alter custom global javascript object & methods in WordPress
  53. Point root folder to blog.domain.com and subdirectory to domain.com possible?
  54. WordPress admin dashboard missing icons
  55. Generating an nonce for Content Security Policy and all scripts – How to make it match/persist for each page load?
  56. Correct and safe way to include php content in my page
  57. How to add API security keys into JS of wordpress securely
  58. Hardening uploads folder in IIS breaks images
  59. How does WP work in conjunction with a web server?
  60. Troll the hackers by redirecting them
  61. Permalinks are not working in WordPress in digitalocean
  62. Updating From Mobile App – Exposing Site to Hacking
  63. I Made WordPress Multisite. And Now Everything Doesn’t Display Properly
  64. Check against server time to display SQL entries – Radio Station DJ Rotator Plugin
  65. Plugin error after installation
  66. security concerns if using html data-* attribute for l10n?
  67. Problem with data collection in tables
  68. New wordpress keep redirecting to localhost/wp-admin/install.php
  69. How to point domain to wordpress page
  70. echo cutom css code to WordPress page template file ? is this safe?
  71. Is a local multisite installation equivalent to multiple VirtualHosts?
  72. How to rename a wordpress site from http://myserver.example.com/blog to http://myserver.example.com/somethingelse or just http://myserver.example.com
  73. WordPress in AWS Lightsail – restrict public IP
  74. $.ajax results in 403 forbidden
  75. How to edit content in WordPress and the Polylang – plugin? – with demosite
  76. Upgrade to PHP7.3 and Changing Apache from Prefork to Event Breaks WordPress
  77. Site infected by link
  78. Huge time to first byte on live site
  79. Deny php execution in /wp-includes – using .htaccess in /wp-includes VS root folder
  80. Move site root directory on debian
  81. Timthumb isn’t displaying any images. “A TimThumb error has occured
  82. Strange special character/Latin characters
  83. I got ERR_TOO_MANY_REDIRECTS on subdomain
  84. What is the best practice for restricting a section to logged in users?
  85. Rewrite /keyword1+keyword2.html to search page | .htaccess
  86. W3 Total Cache Can’t Really Detect Things
  87. Admin-area broken through weird issues
  88. Apache and Networks
  89. Blog only showing code
  90. Configure VirtualHost for a perfect WordPress Environment
  91. WordPress Memory limit not increasing
  92. Having an HTTP error 500 after migrating a website
  93. oEmbed work on localhost but not on distant server
  94. How to quickly/easily make an analysis (reverse engineering) of WordPress?
  95. session_start(): Cannot find save handler ‘mm’ – session startup failed in /sites
  96. Permalinks to Post name not working
  97. How to rename files during upload to a random string?
  98. WordPress – Unable to Create New Account – Windows/Apache/MySQL
  99. Serve static files via a subdomain on a wordpress
  100. Restricting access to a file for everyone except logged in users

Leave a Comment