Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I want to show certain content if traffic comes to my wordpress site from google search. I want to use $_SERVER["HTTP_REFERER"] . Security is not a huge issue -- if some client really wants to lie that they are coming thru google that is no big deal (they'll just see an ad). I also understand that I need to check what they send through $_SERVER["HTTP_REFERER"] for malicious code. However, I see that according to answers in this post Determining Referer in PHP not all browsers send HTTP_REFERER.
What browsers don't send it? What versions?
When the referring site has SSL turned on, it will often not include the HTTP_REFERER. As you can imagine, this is by design for security purposes. Code accordingly.
This makes it difficult to know when visitors are coming from sites like youtube and gmail which use SSL by default.
Also this question is similar:
Is there referrer header while using SSL?
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
After I finished setting up TLS with let's encrypt.
my site under WordPress is only displayed in ugly HTML.
my architecture is the following:
(reverse proxy) => (nat box)=>(reverse proxy2)=>(web server)
I obviously changed the WordPress configuration for https.
Do you have any idea where this might be coming from?
You could try https://wordpress.org/plugins/wp-letsencrypt-ssl/#description. The plugin could force SSL/HTTPS, fixing insecure content & mixed content issues easily.
Access your site via browser and check the console. You will probably see resources (probably your css) that are being prevented to load because they are 'http' requests in a 'https' connection.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
My website uses cookies and I've noticed that I'm able to change the value of the cookies with a chrome plugin. Is there a way to make it so people cannot edit the cookie? I've been thinking of writing a script to check if the cookie changes but I'm not sure if this would work. Any help would be greatly appreciated, thanks.
No, cookies are stored on the client side and you don't have any control over them. You have to validate them on the server prior use every single time. When it comes to web development, you need to see your clients as a potential security liability. You can't trust them.
If you want to make it a little harder for the attacker, you can encrypt contents of your cookies, but the fact they're on the client side means the attacker can try to decrypt them and modify as wishes...
=> If you have data you need to keep away from users, don't use cookies for that. You should use Session in that case.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I'm interested how can I detect a source of the visit - is it a direct link, via referrer or via search engine, and using PHP?
More concise, when someone access my website by directly typing the http://ww.mysite.com in their browser, how can I detect such visitors (using PHP)?
Each request has a referer, i.e. a URL which the user came from. PHP provides this information in the $_SERVER['HTTP_REFERER'] variable.
If a user accessed your website directly, i.e. via direct type-in or a bookmark, the referer is empty.
Note that some browser add-ons and “security software” will remove the referer for privacy reasons.
But if it's just for statistical purposes, you may assume that the referer is valid in 99.9% of all page views.
But remember: The referer can easily be forged to contain any value the visitor wants it to be. Including malicious code like XSS or SQL injection. Be careful when processing it.
There is no way to know for sure, but $_SERVER['HTTP_REFERER'] is not set, then it is likely to be a direct visit. You can also add parameters to links that you use in advertising to help you track the source, for example you might place adverts with links to example.com/?source=my-advertising-campaign
Try this:
$_SERVER['HTTP_REFERER']
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
I am experimenting on a blogging website like Tumblr, Blogger...[etc]. In a blogging website user should have full control over what they're posting.
So if I allow users to include Javascript code in blog posts, would that make my site vulnerable to XSS attacks ? (which I think it will)
So what would be the best way ;
Allow users to include Javascript in HTML
Block all the Javascript code.
Something else...(which i don't know)
I am using PHP/MySQL
No, it's generally a very bad idea to allow Third parties to execute/inject code into your site. That's just asking for trouble.
Most XSS vulnerabilities come from cookies, and/or same-origin requests (e.g. they could POST to the delete account page).
Sites such as tumblr circumvent this by using subdomains. A request from http://foo.example.org to http://example.org is treated the same as a request from http://example.com (cross-origin). No cookies will be passed, so there is no XSS vulnerability.
Of course there are still rootkit scripts around, but users take that risk going to any site with an outdated browser. Make sure to disclaim that somewhere.
No, it's a bad Idea, also don't forget that not all your users have some knowledge in informatics, else if Your want a site for developer your can use for example some websites API like jsfiddle http://doc.jsfiddle.net/api/
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I'm using php and curl to get the content of various websites. Some sites require post values. I want to check if the site expect any post values to be sent.
You cannot do that, unless sites specifically tell you in their response headers what they are expecting (and they rarely, if ever, do). Best you can do is take a look at returned headers from the request. You cannot automate this process.
Not entirely sure what you're asking here OP. But when creating scripts in cURL to automate interaction with other websites you generally have to investigate manually to find out what parameters need to be passed to get to the information you want...
It'll be a case of using tools such as Source Code View, and the firefox addon which allows you to modify post information (forgotten what its called) to see whats actually happening when you visit the site.