How reliable is HTTP_HOST?
Edit: I stand corrected: The HOST header is not present in HTTP 1.0 requests. See @Bruno's answer. Leaving mine in place because of the security considerations
The only issues with HTTP_HOST that I'm aware of are security issues, not compatibility ones.
The security issues stem from the fact that HTTP_HOST
is sent by the user. If the web server is incorrectly set up and/or buggy, arbitrary HTTP_HOST
values could make it to your site/script (see e.g. here for detailed discussion). Your application needs to be prepared for that.
It's good never to trust HTTP_HOST (e.g. it can be a good idea to set up an array of allowed values for it before processing it in your PHP script):
<?php
$allowed_hosts = array("domain1.com", "domain2.com", "domain3.com");
if (!in_array(strtolower($_SERVER["HTTP_HOST"]), $allowed_hosts))
die ("Unknown host name ". $_SERVER["HTTP_HOST"]);
HTTP_HOST
is for the Host:
header sent by HTTP 1.1 user-agents during the request. This is not used by HTTP 1.0 clients, so it won't appear then. However, nowadays, I don't think there are still many HTTP 1.0 clients.
Pekka's answer seems more interesting, but it seems that you want to know which browsers support http 1.1 and which dont. Found this on google: http://www.1-script.com/forums/Browser-Support-for-HTTP-1-1-article34982--8.htm
A note, from that thread: "a HTTP 1.0 browser cannot get to the non-default virtual host." That means that a browser that dont support http 1.1 cannot reach any website on a shared server as far as i know. Thare are LOTS of websites on shared hosts. Also subdomains might(no sure though) be "detected' in the same way, by using the HTTP_HOST var.
After reading these, i dont really think anyone uses a browser that old nowdays, it would be impossible for them to actually navigate the web:)