PHP 8.3: Built-in CLI Server $_SERVER['SERVER_SOFTWARE'] value changed for RFC3875 compliance


PHP has a built-in CGI-compatible server that can be used to test PHP applications without having to use a fully-fledged server software such as Apache, Nginx, or Caddy. It follows RFC3875, which defines the request meta variables and their characteristics, which are exposed to PHP applications in the $_SERVER super global variable.

Prior to PHP 8.3, the $_SERVER['SERVER_SOFTWARE'] value was in the form of PHP %version% Development Server, and this was a violation of the RFC3875 - 4.1.17. This is fixed in PHP 8.3, and the built-in CLI server now follows the pattern required by the RFC.

- PHP 8.2.0 Development Server
+ PHP/8.3.0 (Development Server)  

Note that the X-Powered-By value or its format has not changed.

Backward Compatibility Impact

Because the PHP built-in CLI server is only meant to be used for testing purposes, and because the $_SERVER['SERVER_SOFTWARE'] value is not exposed in HTTP headers or any other usual output, this change is unlikely to cause any impact on existing PHP applications.

Applications that inspect $_SERVER['SERVER_SOFTWARE'] value to determine if the application is being served by the built-in might be impacted.

The objectively better ways to determine if the application is being run by PHP CLI is to by checking the PHP_SAPI constant name to be cli-server. Applications that previously inspected the $_SERVER['SERVER_SOFTWARE'] value pattern can be updated as shown below:

- if (preg_match("/PHP (.*) Development Server/", $_SERVER['SERVER_SOFTWARE']) {
+ if (PHP_SAPI === 'cli-server') {

Alternately the following regular expression matches both patterns of $_SERVER['SERVER_SOFTWARE'] values:

/^PHP(.*? Development Server|\/.*? \(Development Server\))$/
- if (preg_match("/PHP (.*) Development Server/", $_SERVER['SERVER_SOFTWARE']) {
+ if (preg_match("/^PHP(.*? Development Server|\/.*? \(Development Server\))$/", $_SERVER['SERVER_SOFTWARE']) {