
The HTTP Request Lifecycle in PHP: From Socket to $_SERVER
The previous article in this series treated $_SERVER['HTTP_HOST'] and friends as “attacker-controlled territory” and moved on. That’s the right operational answer, but it hides an interesting question: how does a request actually reach your PHP handler in the first place, and which layer decides that Host: attacker.com becomes $_SERVER['HTTP_HOST'] = "attacker.com" in your process? ...