Is $http_host dangerous?

Francis Daly francis at
Mon May 28 00:28:15 UTC 2012

On Sun, May 27, 2012 at 06:16:06PM -0400, x7311 wrote:

Hi there,

> Actually, I should reconsider my position on this after reading this:

That page seems to be about variables made available by the PHP
implementation in apache.

In nginx, PHP is (typically) accessed using fastcgi, so the $_SERVER
variables are exactly what is set in (again, typically) fastcgi.conf.

HTTP_HOST is "the Host: header, if any". SERVER_NAME from nginx is "the
first element of server_name", but from apache appeared to depend on the
Host: header.

For both apache and nginx, HTTP_* come straight from the user, and some
other variables come from the server admin.

> I am not sure how nginx reacts to that, but according to you Francis,
> you seems to be inline with Chris Shiflett that neither is safe nor
> insecure. They are pretty much the same thing. 

Agreed. Once you know what the variables represent, you can decide what
is the appropriate one for your use case.

It is not difficult to construct a scenario in nginx where $server_name
is "one", $http_host is "two", and $host is "three". But that's unlikely
to be done by an innocent user.

> Under one circumstances, can you think of a way to exploit when using
> $http_host?

Using $http_host instead of $host?

Pick any circumstance where they are different, and the difference
matters. A simple one is "root /var/www/$http_host". Now "curl
http://public/" and "curl http://PUBLIC/" will probably return different
content, where "root /var/www/$host" would have returned the same.


echo 'GET http://public/ HTTP/1.0
Host: private

' | nc public 80

would also probably return different content (and that one might also
"work" for "proxy_set_header Host $http_host" to an upstream server).

It depends on how the variables are used. And it can probably all be
avoided by appropriate configuration elsewhere.

Francis Daly        francis at

More information about the nginx mailing list