Step-by-step guides for the skills working security professionals use every day. Each tutorial includes labs you can replicate, the commands that matter, and the why behind the workflow.

The HTTP Request Lifecycle in PHP: From Socket to $_SERVER
The previous article in this series treated $_SERVER['HTTP_HOST'] and friends as “attacker-controlled territory” and moved on. That’s the right operational answer, but it hides an interesting question: how does a request actually reach your PHP handler in the first place, and which layer decides that Host: attacker.com becomes $_SERVER['HTTP_HOST'] = "attacker.com" in your process? ...








