Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Helpers: take host name from SERVER_NAME instead of HTTP_HOST #309

Closed
wants to merge 10 commits into from

Conversation

adaamz
Copy link

@adaamz adaamz commented Jul 9, 2018

bug fix
BC break? yes

Hi,
it is better to identify server host name by secure directive SERVER_NAME, because HTTP_HOST is not secure and can be changed by user.
https://www.skeletonscribe.net/2013/05/practical-http-host-header-attacks.html

@dg
Copy link
Member

dg commented Apr 8, 2020

Why do you think SERVER_NAME can't be spoofed in the same way?

@adaamz
Copy link
Author

adaamz commented Apr 8, 2020

@dg https://www.geeksforgeeks.org/what-is-the-difference-between-http_host-and-server_name-in-php/
SERVER_NAME should be obtained from server configuration (hardcoded)
HTTP_HOST is obtained from HTTP headers (which can anybody change)

@dg
Copy link
Member

dg commented Apr 8, 2020

The question should have been different. Why I'd like to see SERVER_NAME instead of spoofed HTTP_HOST in source line? HTTP_HOST better reflects what is in the address bar.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants