The values in $_SERVER
are environment variables set by the hosting web server. It depends on how exactly the HTTPS
environment variable is set to say whether it's "safe" or not; but typically in Apache that value is set by the SSL module if and only if it's serving an SSL connection. As far as anyone's aware (or at least me), there's no way for the user to send anything in the request to change this value. The user should only be able to send HTTP headers, which would all end up in $_SERVER['HTTP_*']
values, never plain 'HTTPS'
.
So, unless there are some unknown bugs in your web server which allows a user to send information in a request that tricks the server into settings the HTTPS
environment variable incorrectly, it's pretty safe.