stackoom
  简体   繁体   中英

How reliable is HTTP_HOST?

 原文  2010-11-04 11:26:47       php/ apache/ http-host

Question

I have written a PHP script that I would like to use on several domains on the same server (pointing to same script). I want to add functionality to the script so I can find out which domain the script is working with at any time. HTTP_HOST can be used to find the domain ,however, I have read that its not reliable especially with older browsers. My understanding is most Apache servers use virtual hosts which uses the same method anyway so if its not a problem with hosting providers it shouldn't be an issue with my code.

Can any one please verify this and clear the confusion ?

5 answers

solution1
 10 ACCPTED  2010-11-04 11:38:29

HTTP_HOST is for theHost: header sent by HTTP 1.1 user-agents during the request. This is not used by HTTP 1.0 clients, so it won't appear then. However, nowadays, I don't think there are still many HTTP 1.0 clients.

solution2
 9  2010-11-04 11:31:32

Edit : I stand corrected: The HOST header is not present in HTTP 1.0 requests. See @Bruno's answer. Leaving mine in place because of the security considerations

The only issues with HTTP_HOST that I'm aware of are security issues, not compatibility ones.

The security issues stem from the fact that HTTP_HOST is sent by the user. If the web server is incorrectly set up and/or buggy, arbitrary HTTP_HOST values could make it to your site/script (see eg here for detailed discussion). Your application needs to be prepared for that.

It's good never to trust HTTP_HOST (eg it can be a good idea to set up an array of allowed values for it before processing it in your PHP script):

<?php
  $allowed_hosts = array("domain1.com", "domain2.com", "domain3.com");

  if (!in_array(strtolower($_SERVER["HTTP_HOST"]), $allowed_hosts))
   die ("Unknown host name ". $_SERVER["HTTP_HOST"]);

solution3
 1  2010-11-04 12:13:35

Pekka's answer seems more interesting, but it seems that you want to know which browsers support http 1.1 and which dont. Found this on google: http://www.1-script.com/forums/Browser-Support-for-HTTP-1-1-article34982--8.htm

A note, from that thread: "a HTTP 1.0 browser cannot get to the non-default virtual host." That means that a browser that dont support http 1.1 cannot reach any website on a shared server as far as i know. Thare are LOTS of websites on shared hosts. Also subdomains might(no sure though) be "detected' in the same way, by using the HTTP_HOST var.

After reading these, i dont really think anyone uses a browser that old nowdays, it would be impossible for them to actually navigate the web:)

solution4
 0  2010-11-12 18:30:28

This is what I answered in a similar question :

Looking into this myself for other purposes:

"HTTP/1.0 is in use by proxies, some mobile clients, and IE when configured to use a proxy. So 1.0 appears to still account for a non- trivial % of traffic on the web overall. ... Yes, there are many 1.0 clients still out there."

Source (July 2009): http://groups.google.com/group/erlang-programming/msg/08f6b72d5156ef74

:-(

I am personally getting quite a few HTTP/1.0 requests on my sites with a missing HTTP_HOST :-(

solution5
 0  2020-06-30 08:05:07

This is an old post I stumble onto and the solution I gave is this:

I created a JSON file (my code makes extensive use of these which I call tokens) to become the single source of truth and to be open at the same time for modifications from who knows what new things will emerge in a application/framework:

// accounttoken.json
{
    "site": {
        "email": "admin@email.com",
        "password": "Bty1!",
        "firstname": "John",
        "secondname": "Doe",
        "country": "USA",
        "username": "Admin",
        "role": "admin",
        "protocol": "http://",
        "domain": "a9623c7ca853.eu.ngrok.io",
        "site_key": "fgRt4%$x!0($DqJi",
        "language": "en"
    },
    "google": {
        "client_id": "51965.apps.googleusercontent.com",
        "client_secret": "8Kz"
    },
    "db_mysql": {
        "db_port": 3306,
        "db_user": "<user>"
    },
// more entries here...
}

Now, all you have to do is to consult your entries in one file:

// find php executable
cent$ whereis php
php: /usr/bin/php7.0 /usr/bin/php /usr/lib/php /etc/php /usr/include/php ...

// start interactive shell
cent$ /usr/bin/php7.0 -a

php > $json = file_get_contents('accounttoken.json');
php > $json = json_decode($json, true);
php > echo('Your domain is: ' . $json['site']['domain']);
php > echo('The site url is: ' . $json['site']['protocol'] . $json['site']['domain']);
php > quit

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question php - How reliable is HTTP_HOST, and will it work for search bots? How to redirect website by htaccess HTTP_HOST how safe is $_SERVER[“HTTP_HOST”]? RewriteCond %{HTTP_HOST} not responding http_host with and without www $_SERVER['HTTP_HOST'] not recognized $_SERVER['HTTP_HOST'] not set How to add content HTTP_HOST variable to query string Need to remove www from $_SERVER['HTTP_HOST'] how? HTTP_HOST strlen wrong length
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM