... faked by the user, therefore user-supplied. Do yourself a favor and treat it as such.
This is not entirely true. But don't feel bad, there are very few people that realize if you use Allow [httpd.apache.org]/Deny directives with a partial domain-name match Apache will indeed populate theREMOTE_HOST environment variable, regardless of the setting of the HostnameLookups directive. This happens because it causes Apache to perform a double reverse DNS lookup on the client IP address.