Hi,
I noticed that when I dump the $_SERVER values in a PHP script, I can see some information which I do not need. I am not sure if it’s secure to do that. For example, on LEMP bundle, I can see something like:
print_r($_SERVER)
// Output
Array
(
[PHP_FCGI_CHILDREN] => 4
[PHPRC] => /home/mydomain/etc/php7.2
[XDG_SESSION_ID] => c166
[SHELL] => /bin/bash
[USER] => mydomain
[LD_LIBRARY_PATH] =>
[REMOTE_ADDR_PROTOCOL] => 4
[PATH] => /bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/sbin:/usr/sbin:/bin:/usr/bin
[_] => /usr/bin/php-loop.pl
[SERVER_REALROOT] => /usr/libexec/webmin
[PWD] => /usr/libexec/webmin/init/
[PERLLIB] => /usr/libexec/webmin
[REMOTE_ADDR] => 1.2.3.4
[HOME] => /home/mydomain
[SHLVL] => 4
[LOGNAME] => mydomain
[XDG_RUNTIME_DIR] => /run/user/1001
[HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.9
[HTTP_ACCEPT_ENCODING] => gzip, deflate
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
[HTTP_USER_AGENT] => Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_CACHE_CONTROL] => max-age=0
[HTTP_CONNECTION] => keep-alive
[HTTP_HOST] => mydomain.com
[HTTPS] =>
[SERVER_NAME] => mydomain.com
[SERVER_PORT] => 80
[SERVER_ADDR] => 1.2.3.5
[REMOTE_PORT] => 60891
[SERVER_PROTOCOL] => HTTP/1.1
[DOCUMENT_ROOT] => /home/mydomain/public_html
[DOCUMENT_URI] => /admin/index.php
[REQUEST_URI] => /admin/
[SCRIPT_NAME] => /admin/index.php
[SCRIPT_FILENAME] => /home/mydomain/public_html/admin/index.php
[CONTENT_LENGTH] =>
[CONTENT_TYPE] =>
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[SERVER_SOFTWARE] => nginx
[GATEWAY_INTERFACE] => CGI/1.1
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /admin/index.php
[REQUEST_TIME_FLOAT] => 1593500317.8069
[REQUEST_TIME] => 1593500317
)
Some of the information is unnecessary like SERVER_REALROOT, PWD and so on. If I set fastcgi_param SERVER_REALROOT “”; the key is there but it’s just blank.
How can I remove them properly?