Share via

Request.ServerVariables Collection

The ServerVariables collection retrieves the values of predetermined environment variables and request header information.

Server variables obtain most of their information from headers. It is wise to not trust the data that is contained in headers, as this information can be falsified by malicious users. For example, do not rely on data such as cookies to securely identify a user.

As a security precaution, always encode header data or user input before using it. A general method of encoding data is to use Server.HTMLEncode. Alternatively, you can validate header data and user input with a short function such as the one described in Validating User Input to Avoid Attacks. For more detailed information about developing secure Web applications, see chapter 12 of MS Press - Writing Secure Code.


Request.ServerVariables( server environment variable )


  • server environment variable
    Specifies the name of the server environment variable to retrieve. It can be one of the variables listed in IIS Server Variables.

Applies To

Request Object


If a client request includes a header other than those specified in the IIS Server Variables table, you can retrieve the value of that header by preceding the header name with "HTTP_" in the call to Request.ServerVariables. For example, if the client sends a header such as SomeNewHeader:SomeNewValue, you can retrieve SomeNewValue by using the following syntax:

<% Request.ServerVariables("HTTP_SomeNewHeader") %> 

IIS cannot create client headers. Only a client application, such as a Web browser, can send new headers through an HTTP request. If you want to send hidden data between the client and the server, consider setting and retrieving cookies with Response.Cookies and Request.Cookies. If a client does not accept cookies, you can use the following HTML form tag to send hidden data and retrieve it using the Request.Form collection:

<FORM ACTION = "myfile.asp" METHOD = "post"> 
<INPUT NAME="hiddendata" TYPE="hidden" VALUE="secret value"> 

However, this requires the user to click a button. Alternatively, you can store data in the Session.Contents collection if sessions are enabled on your Web site.

Example Code

The following example displays several server variables by name:

<!-- This example displays the content of several ServerVariables. -->  
ALL_HTTP server variable =  
<%= Request.ServerVariables("ALL_HTTP") %> <BR> 
CONTENT_LENGTH server variable =  
<%= Request.ServerVariables("CONTENT_LENGTH") %> <BR>  
CONTENT_TYPE server variable =  
<%= Request.ServerVariables("CONTENT_TYPE") %> <BR> 
QUERY_STRING server variable =  
<%= Request.ServerVariables("QUERY_STRING") %> <BR>  
SERVER_SOFTWARE server variable =  
<%= Request.ServerVariables("SERVER_SOFTWARE") %> <BR>  

The following example uses the VBScript For Each loop to iterate through each existing server variable name. Some will be empty if you have Anonymous Access enabled. The following script lists all of the server variables in a table:

<TR><TD><B>Server Variable</B></TD><TD><B>Value</B></TD></TR> 
<% For Each strKey In Request.ServerVariables %>  
<TD><%= strKey %></TD> 
<TD><%= Request.ServerVariables(strKey) %></TD> 
<% Next %> 

The following example inserts the name of the server to a hyperlink. Note that it is possible for a malicious user to inject script into this link to redirect people away from your site. For more information on script injection, see MS Press - Writing Secure Code.

<A HREF= "http://<%=Request.ServerVariables("SERVER_NAME")%>/scripts/MyPage.asp"> 
Link to MyPage.asp 


Client: Requires Windows XP Professional, Windows 2000 Professional, or Windows NT Workstation 4.0.

Server: Requires Windows Server 2003, Windows 2000 Server, or Windows NT Server 4.0.

Product: IIS

See Also