is $_SERVER vulnerable to change by users

Question

I would really like to use the answer from the following question: How can I force users to access my page over HTTPS instead of HTTP?

BUT I was always under the impression that the global $_SERVER variable is vulnerable to change by the users, and should not be relied on. Is that true?

if($_SERVER["HTTPS"] != "on")
{
    header("Location: https://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
    exit();
}

If it is vulnerable to change, why did so many people recommend this answer.

Answer 1

The values in $_SERVER are environment variables set by the hosting web server. It depends on how exactly the HTTPS environment variable is set to say whether it's "safe" or not; but typically in Apache that value is set by the SSL module if and only if it's serving an SSL connection. As far as anyone's aware (or at least me), there's no way for the user to send anything in the request to change this value. The user should only be able to send HTTP headers, which would all end up in $_SERVER['HTTP_*'] values, never plain 'HTTPS'.

So, unless there are some unknown bugs in your web server which allows a user to send information in a request that tricks the server into settings the HTTPS environment variable incorrectly, it's pretty safe.