PHP$_SERVER

$_SERVER

$_SERVER is an associative array that PHP fills in for every request with details about the web server and the request itself. It does not come from a form or a URL parameter that a developer designed — it is assembled by the web server and PHP's SAPI layer before your script even starts, which makes it a reliable source of request metadata rather than application data.

Inspecting what is available

The exact keys present in $_SERVER vary slightly by server software (Apache, Nginx with PHP-FPM, or the built-in development server), but a core set is available almost everywhere. Dumping the array during development is a quick way to see what your particular environment provides.

Looking at everything in $_SERVER

PHP
<?php
foreach ($_SERVER as $key => $value) {
    if (is_string($value)) {
        echo "{$key} = {$value}\n";
    }
}
REQUEST_METHOD = GET
REQUEST_URI = /products?category=books
HTTP_HOST = letcodes.example
SCRIPT_NAME = /index.php
REMOTE_ADDR = 203.0.113.42
Common keys and what they tell you
  • REQUEST_METHOD - the HTTP verb used, such as GET, POST, PUT, or DELETE.

  • REQUEST_URI - the path and query string as requested, e.g. /products?category=books.

  • HTTP_HOST - the host name the client sent in the Host header, e.g. letcodes.example.

  • SCRIPT_NAME - the path to the currently executing script, relative to the document root.

  • REMOTE_ADDR - the IP address of the client making the request.

  • HTTPS - set to a non-empty value when the request arrived over TLS.

Practical use: simple routing

Front-controller style applications often inspect REQUEST_URI and REQUEST_METHOD together to decide which piece of code should handle a request, before any framework-level router gets involved.

A tiny manual router

PHP
<?php
$path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
$method = $_SERVER['REQUEST_METHOD'];

if ($path === '/health' && $method === 'GET') {
    echo 'OK';
} else {
    http_response_code(404);
    echo 'Not found';
}
OK
Practical use: building absolute URLs

Redirects, emails, and Open Graph meta tags often need a full URL rather than a relative path. Combining HTTPS, HTTP_HOST, and REQUEST_URI lets you reconstruct one without hardcoding the domain.

Reconstructing the current absolute URL

PHP
<?php
$scheme = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https' : 'http';
$host = htmlspecialchars($_SERVER['HTTP_HOST'] ?? 'localhost', ENT_QUOTES, 'UTF-8');
$uri = htmlspecialchars($_SERVER['REQUEST_URI'] ?? '/', ENT_QUOTES, 'UTF-8');

$currentUrl = "{$scheme}://{$host}{$uri}";
echo $currentUrl;
https://letcodes.example/products?category=books
HTTP_HOST comes from the client, so escape it
`HTTP_HOST` is copied from a header the browser sends, which means a malicious or misconfigured client can send an unexpected value. Escape it with `htmlspecialchars()` before printing it into HTML, and do not trust it for security-sensitive decisions such as generating password reset links — use a hardcoded, configured domain for those instead.
Quick reference

Key

Meaning

REQUEST_METHOD

HTTP verb of the current request

REQUEST_URI

Path plus query string as requested

HTTP_HOST

Host header sent by the client

SCRIPT_NAME

Path to the running PHP script

REMOTE_ADDR

Client's IP address

HTTPS

Non-empty when the connection used TLS

Tip
`$_SERVER` is a good place to check the request method before touching `$_POST`, exactly the pattern used on the Form Handling page: `if ($_SERVER['REQUEST_METHOD'] === 'POST') { ... }`.