Variables that start with HTTP_ are direct pass-throughs from browser headers. Other variables are set by various computations within Apache itself.

So, the quick answer is "absolutely don't trust anything in the HTTP_ list, but the rest can be considered as safe as your operating system".

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.