REMOTE_USER should be safe to use under Apache and most other HTTP servers. The variables that are not safe to use, are the ones that are provided directly from the client. These usually begin with HTTP_*.