SERVER_NAME:

• The name of the server host under which the current script is executing.
• If the script is running on a virtual host, this will be the value defined for that virtual host.
• SERVER_NAME comes from the server’s VirtualHost definition and is therefore considered more reliable.
• It can, however, also be manipulated from outside under certain conditions related to how your web server is set up.

HTTP_HOST:

• Contents of the Host: header from the current request, if there is one.
• HTTP_HOST is the target host sent by the client. It can be manipulated freely by the user.
• It’s no problem to send a request to your site asking for a HTTP_HOST
• HTTP_HOST vs SERVER_NAME:
• Imagine your web server has a default host set up as follows:
• UseCanonicalName Off
  ServerName example.org
• The ServerName directive might seem like the only thing that affects $_SERVER[‘SERVER_NAME’], but is this a safe assumption?
• To determine what affect the Host header has, if any, create an index.php in the document root of the default host with the following code

<?php  
echo "HTTP_HOST [{$_SERVER['HTTP_HOST']}]\n"; 
echo "SERVER_NAME [{$_SERVER['SERVER_NAME']}]"; 
 ?>

You can test several different values for Host easily enough with telnet:

telnet example.org 80

Here are a few tests and corresponding results. For each test, we show the exact request and the content of the response.

1. No Host, HTTP/1.0

Request:

GET / HTTP/1.0

Result:

HTTP_HOST []
SERVER_NAME [example.org]

Empty Host, HTTP/1.0

Request:

GET / HTTP/1.0
Host:

Result:

HTTP_HOST []
SERVER_NAME []

With an empty Host, SERVER_NAME is empty.

Empty Host, HTTP/1.1

Request:

 GET / HTTP/1.1
 Host:

Result:

HTTP_HOST []
SERVER_NAME []

Request:

GET / HTTP/1.1
Host: <script>alert('XSS')</script>

Result:

HTTP_HOST [<script>alert('XSS')</script>]
SERVER_NAME [<script>alert('XSS')</script>]

With a non-empty Host, SERVER_NAME is the HTML-escaped host value.

SQL Injection Host, HTTP/1.1

Request:

GET / HTTP/1.1
Host: chris' --

Result:

HTTP_HOST [chris' --] 
SERVER_NAME [chris' --]

• As you can see by the results Under certain circumstances, the Host header can affect $_SERVER[‘SERVER_NAME’].
• The ServerName directive is used when the Host header is absent, and apparently $_SERVER[‘SERVER_NAME’] is escaped with something like htmlentities().
• Sometimes, it’s hard to tell whether a particular element in $_SERVER can be affected by the HTTP request (ask Sean about PHP_SELF)
• so I find it easier to treat everything from $_SERVER just as if it were something like $_GET or $_POST.
• SERVER_NAME instead of HTTP_HOST
• We found a problem with our configuration (nginx and php-fpm).
• When you define domain in your plugin you are using SERVER_NAME as its value.
• SERVER_NAME with this configuration is not the same as HTTP_HOST, so the plugin is not working.
• We have changed it to get the SERVER_NAME from HTTP_HOST that it’s what the user is really loading in its browser.
• With this line in wp-config.php it’s working well

$_SERVER['SERVER_NAME'] = $_SERVER['HTTP_HOST'];

Get host name or server name in PHP:

• $_SERVER[‘HTTP_HOST’] give you host infomration obtained from the HTTP request header and this is what the client actually used as “target host” of the request.
• $_SERVER[‘SERVER_NAME’] normally returns the same result as $_SERVER[‘HTTP_HOST’], but is defined in server config.
• However, if you server is running behind the proxy, then should use $_SERVER[‘HTTP_X_FORWARDED_HOST’] and

$_SERVER['HTTP_X_FORWARDED_SERVER'] in place of $_SERVER['HTTP_HOST'] and $_SERVER['SERVER_NAME']. 

$host_name = isset($_SERVER['HTTP_X_FORWARDED_HOST']) ?  
              $_SERVER['HTTP_X_FORWARDED_HOST'] : $_SERVER("HTTP_HOST");  
$server_name = isset($_SERVER['HTTP_X_FORWARDED_SERVER']) ?   
              $_SERVER['HTTP_X_FORWARDED_SERVER'] : $_SERVER("SERVER_NAME");