$_SERVER can not be trusted. $_SERVER['HTTP_USER_AGENT'] contains a String that is easily user-configurable - SQL Injection possible. There are even browser plugins for that purpose. In fact, there are a lot of $_SERVER vars that can be changed by the user, for example also $_SERVER['HTTP_ACCEPT_LANGUAGE']. Have a look at the...
security,nginx,http-headers,header-injection
It looks like nginx is already enforcing at least some of the restrictions on valid host names, but if you wanted to be sure, you could always use the nginx rewrite module to filter the host names yourself, as in: if ($host !~ "^[a-z0-9\-]+([.][a-z0-9\-]+)+$") { return 400; } This should...