Can $_SERVER['SERVER_NAME'] be forged/faked?

Question

Can the PHP variable $_SERVER['SERVER_NAME'] be forged or faked? I was planning on using that as a security measure for form posting. I would check to make sure that variable is my site name (www.example.com). I know HTTP_REFERRER can be faked, but I wasn't sure on this one.

Thanks!

Answer 1

Actually $_SERVER['SERVER_NAME'] can be affected by what the client browser sends over... See http://shiflett.org/blog/2006/mar/server-name-versus-http-host for a through investigation on the issue.

Answer 2

By a visitor it can't normally be faked out. But I suspect you would want to enforce a certain SERVER_NAME to license scripts so they can only be used by particular domains. In this case the answer is yes, this variable can definitely be faked.

The reason is simple, the server sets this value. In most cases you would have PHP running as an Apache module, but sometimes you have other Apache modules, sometime you have PHP running in CGI mode with NGINX or IIS, sometimes you even have PHP running as CLI forked as a child process by a custom-built server deployed in a cloud. Those servers would be responsible for setting that variable.

Plus, there's always the manual assignment.

 $_SERVER['SERVER_NAME'] = ... // this can go above all your scripts

Answer 3

It can't be faked, persay, but it will always return your site name. It is useful if you are running multiple sites off of the same script and, for example, use a different database depending on the host name provided.

The PHP documentation says:

'SERVER_NAME'
    The name of the server host under which the current script is executing. If the script is running on a virtual host, this will be the value defined for that virtual host.