Is it unsafe to switch environments based on domain?

Question

I am curious if doing something like setting your "environment" to Production, Dev, Staging, etc. based on a domain name such as dev.domain.com, staging.domain.com is a bad idea.

Can somebody just edit their hosts file to point dev.domain.com to domain.com so now the system thinks it's in Dev when it really is in Prod? This would mean any Dev specific code will be ran by a complete stranger.

Is this possible or is there a better way to determine your environment such as setting it manually in a server variable?

For reference, I am using PHP.

Answer 1

This is depends on how do you use your domain? Suppose that there are domain.com but there are several sub-domain, sub1.domain.com, sub2.domain.com, etc and every sub domain is managed by different user and/or application!

Answer 2

Setting your "environment" to Production, Dev, Staging, etc. based on a domain name is absolutely safe. This is, because you have total control about what your domain name is.

BEWARE: do not trust what others make you believe what your domain name is. For example, $_SERVER['HTTP_HOST'] is not your domain name. It is the value of the HTTP Host header, that the client sent you, and is therefore free to manipulate.

Answer 3

I would set the environment in a server variable on the machine. This allows you to control it during deployment and it cannot be mucked around with by people who are not authorized to do so. Although if you are worried about developers inadvertently connecting to production that is a whole other issue. You should be controlling access to production credentials via some other process such as jndi (in the java world) or environment keys replaced at runtime or deploy time (works in any language).