i have a webpage ... sorto like an api ... basically it prints out some data in form of json .
other website can use this data via php by simply using file_get_contents
or
javascript/jquery ajax request (jsonp)
anyway i want to be able to black list some unwanted websites , so i have to know where this request are coming from
i've tried
$url = $_SERVER['HTTP_REFERER'];
$domain = parse_url($url, PHP_URL_HOST);
but i get
Undefined index: HTTP_REFERER
so unless i'm mistaken and this was an wierd exception , HTTP_REFERER doesn't work here .
so how can i get the referee in case of file_get_contents page request ?
Note that Ajax request are usually sent through the client's browser, while usually a server would call file_get_contents() or a similar tool, to fetch your page.
So in the case of a server, you can check the REMOTE_ADDR HTTP header (which contains the caller's IP) against a blacklist.
In the case of an Ajax request, probably from a user agent you can't really say from which website the originated from.
Though I am not sure, but the HTTP_REFERER header might contain exactly that, but again I have not checked it.
UPDATE (Ajax Requests):
After looking up a little bit, I turn out that browsers don't send referrer data with XHR requests, so you can only blacklist the IPs of the servers you don't want to be accessed from.
If the server request it directly then you can use $_SERVER 'REMOTE_ADDR' and 'REMOTE_HOST'.
If they use javascript then you will only get the clients ip. You can use strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') to disallow jquery requests.
Isn't what you're looking for a $_SERVER['REMOTE_ADDR']? AJAX calls probably won't have a Referer header and that's why you are getting that error.
The HTTP Referrer gets sent by a browser, probably not by file_get_contents()!
You can use $_SERVER['REMOTE_ADDR']. This will give you the raw IP address from the TCP stack.
In the case of a server-side API call, you get the server's IP (assuming the client does not use any proxies).
However if the client is an AJAX request, you'll get the IP address of the user viewing that page.
HTTP_REFERER is not going to be reliable. You might try $_SERVER['REMOTE_ADDR'] to inspect IP address of remote client.
I would however think that you would have a better time whitelisting approved clients rather then blacklisting, as an attacker could easily proxy a request to get around an IP/host-based blacklist.
There are a number of approaches for whiltelisting:
whitelist known IP's
HTTP Authentication
Your own custom API keys
Third party authentication (i.e. OAuth)
and so forth.
Related
I've built an API for providing some data a user needs to get. So every time a user hits the server with a curl post request and the server checks the header auth token and provides the data. Now I want to
check the domain from where the post request comes from
. How could I check this?
That isn't feasible as far as I can tell.
Browsers may send a Referer (sic) HTTP header, but Curl clients don't normally care. In any case the information is provided by the client so it isn't something you can trust.
The IP address of the incoming request may or may not be the actual client address. Even if it is, an IP address can resolve to zero, one or several domains.
I have to restrict the users accessing my webpage based on the url from where the request is coming to my webpage. I am able to get the url from where the request is coming using
$_SERVER['HTTP_REFERER']
As i know the HTTP_REFERER is a header which is sent by the client, most browsers default behavior is to send it, but users can disable it or even send a different referer header. So is there any way to do the proper validation of request based on their url.
Unfortunately, if the user has set the browser to modify the referrer header, there's no way for PHP to discern whether or not the request has come from a certain website.
Blocking traffic from a URL, although easy to do - cannot ever be 100% accurate.
Excluding the same origin policy that all major browsers have and the syncrhronised token pattern (would be a pain in the ass to tokenise all requests), how would you check if the request is sent directly from my user interface and not through a third party.
For example , sending a request from an iframe to youtube (by that i mean the src=... not xmlhttprequest object), the response would be a blank page (how do they do it?) , send a request to facebook ajax.hovercard (its a simple get content request) from an iframe , adress bar will also give you a blank page (no content). SO response is normal content from an iframe request .
Like i said before how would you check (preferably some server side code) if the request is coming from a trusted source?
P.S. : Don't rely on headers , idk why origin im not receiving from requests , altho i see they all implemented the origin header in all major browsers . Refereer can be modified by some ati spyware programs . And anyway the headers can't really be trusted. But yes that showld be a layer for checking.
Check $_SERVER['HTTP_REFERER'] and see if it's coming from your own site.
You can't really be sure of the origin of the user. The user agent can be spoofed easily.
I think you can create some csrf tokens in your user interface and allow only clients that have those tokens
I have a PHP script hosted on my site that outputs a value based on the GET parameters passed.
Other sites call this script from within their own PHP scripts via the PHP function file_get_contents with the url and get params and are served back just the value requested.
I am trying to allow only certain domains access to this script and have been using HTTP_REFERER to check who's calling the script.
if (isset($_SERVER['HTTP_REFERER'])) // check if referrer is set
{
echo $_SERVER['HTTP_REFERER']; // echo referrer
}
else
{
echo 'No referrer set'; // echo failure message
}
I am getting No referrer set when I use file_get_contents but if I use a clicked link from a page to a script with the above code the referrer displays correctly.
Am I using the wrong function (file_get_contents) to call the external script and can someone suggest the correct one or should this work?
Any help much appreciated.
Thanks
Bear in mind that the HTTP "Referer" header is an optional header -- there's no need for a site to send it to you, and it can be easily faked. If you really only want certain people to use your resources, you're better off using some form of authentication.
Typically Referer: is sent by web browsers, but there's no need for it to be -- for example, they won't send it if the referer is a secure site. With a PHP file_get_contents() there isn't technically a referer anyway; you're not being "referred" from anywhere.
Consider instead either:
Locking down by IP address (but bear in mind that multiple domains can share a single IP, and that a domain's IP can change.)
Using some form of authentication (preferably not one that transmits passwords in plain text!)
You should consider how secure you need this service to be, and what threats might attack it when deciding the right security to apply.
You would be much better to restrict based on IP address rather than domain, much more reliable. Just keep an array of allowed IP's and call in_array($_SERVER['REMOTE_ADDR'],$allowedAddresses) to validate it.
Or just require authentication via a cookie or HTTP auth...
You can't do this using HTTP_REFERER.
The HTTP_REFERER it set by the client, and it can be anything the client wants.
You have to use a password / key authentication mechanism instead.
May want to use something along the lines of a stream context to set extra headers.
http://us.php.net/manual/en/function.stream-context-create.php
Additionally, if needed, you could set a 'secret' header to authenticate the requests, rather then the referer.
I have a Javascript widget that people can embed on their site.
I want to use a simple cross domain get request to pull in a hash.
However I need my PHP script to only allow this cross domain request from a series of domains I have stored in an array.
What can I do in my PHP script (not in .htaccessor iptables) to find out the source (hostname) of the get request?
Considering the client (user's browser) can send you whatever it wants, I would say there is no way to be sure which website your script is called from :
As you want to know the URL of the website embedding your widget, and not the address of the user, $_SERVER['REMOTE_HOST'] will not help
$_SERVER['HTTP_REFERER'] could seem OK, but actually is not :
The client doesn't have to send it (and it doesn't always do)
As it is sent by the client, it can be forged / faked Quite easily
So, I'd say there is no real solution to this problem, at least on your server's side (If I'm wrong, I'm interested to know !)
But maybe you can do something on the client's side : when writing all this, I thought about google maps, and it's system of API Key :
you have an (unique) API key four your domain
When you load the JS scripts from google, your send this key
if the key is not registered for the domain on which you are trying to display the map, there is an alert message, saying "The Google Maps API server rejected your request. This could be because the API key used on this site was registered for a different web site."
but the map seems to be displayed anyway -- at least on my test server
this alert is really anoying for the end-user, and I don't think anyone would want an alert displayed on their site because they are using your service withot authorisation...
Maybe you can have a look at how this is done for google maps :-)
You could use the $_SERVER variable. In particular the $_SERVER['REMOTE_HOST'] but see below for caveat:
However, your web server must be
configured to create this variable.
For example in Apache you'll need
HostnameLookups On inside httpd.conf
for it to exist. See also
gethostbyaddr().
If the requests are coming from JavaScript, you could check the HTTP referrer header ($_SERVER['HTTP_REFERER']). However, it's optional - some proxies or security programs strip the referrer header out of HTTP requests.