The HTTP Request Lifecycle in PHP — from TCP socket through Apache or Nginx and PHP-FPM into the $_SERVER superglobal

The HTTP Request Lifecycle in PHP: From Socket to $_SERVER

The previous article in this series treated $_SERVER['HTTP_HOST'] and friends as “attacker-controlled territory” and moved on. That’s the right operational answer, but it hides an interesting question: how does a request actually reach your PHP handler in the first place, and which layer decides that Host: attacker.com becomes $_SERVER['HTTP_HOST'] = "attacker.com" in your process? ...

July 16, 2026 · 17 min · 3561 words · CyberSecurity Elite Team
Educational content for authorized testing only. · Disclaimer · Editorial Policy · Sitemap