I have created simple web service for my website that generates some json based on request, using php, but I want it to be protected so that only I can use it. I mean it should be available for my website only. No one without my permission should be able to use that json on their website.
What is the best method for that in php?
You could try using HTTP_REFERRER header field, but it's easily spoofed and therefore insecure.
How about using PHP sessions?
Set some variable in session in your main page script, then check for its existence when processing API requests; if the variable in session is not set, don't serve the content.
Give OAuth a try, it is widely used for this propose.
Only allow your server's IP to access the service. Or do you mean you're calling it from the browser?
Then you'd have to pass some kind of token to the service, proving that you're authenticated to call it.
Use a cookie to validate, this way you are independent from your ip address.
Related
I've read a lot about .htaccess rules, checking headers, using encryption etc.. but I haven't found exactly the answer I'm after. I know that assuming the server is set up right, you can't access my precious PHP scripts with AJAX. I tried checking if an access variable was defined which disallowed address bar access but also blocked my AJAX requests.
If I have some PHP scripts that I use for AJAX calls, is there a way that I can prevent address bar access, PHP POST (cURL etc) as well as AJAX from outside my domain (assumed via cross-domain access restrictions) ?
There is NO way absolutely to safely/reliably identify which part of the browser the request comes from -- address bar, AJAX. There's a way to identify what is sending though browser/curl/etc via User-Agent header (but not reliably)
A quick but a lot less reliable solution would be to check for the following header. Most browsers attach it with AJAX calls. Be sure to thoroughly look into it, and implement.
X-Requested-With: XMLHttpRequest
NOTE: Do not trust the client if the resource is cruicial. You are better off implementing some other means of access filtering. Remember, any one can fake headers!
You can check whether the request isn't an Ajax request and forbid it, but it's not really safe due to the fact that the headers can be manipulated.
What you can do is to block every IP except the IP which is allowed to access those files.
What can do either is do implement a kind of authentication, where external applications have to send credentials to your script and the scripts checks if the client is valid.
Many ways, but they're all not really the best ways to achieve maximum security.
I do not know definitely. However – indirectly, you can do this. Pass a unique and constantly changing parameter (GET or POST) that only you have access to as proof of the origin. If the request lacks this unique variable, then its not from you. Think outside the box on this one. Could be anything you want, here are some ideas.
1) pass the result of a mathematical equation as proof of origin. Something that you can programmatically predict, yet not obvious to prying header hackers. i.e cos($dayOfYear) or even better base64_encode(base64_encode(cos($dayOfYear))).
2) store a unique key in a database that changes every time someone access the page. Then pass that key along with the request, and do some checks on the end page, if they dont match up to the database key, you've found the peeping tom. (note there will be logic involved for making sure the key hasn't changed in between transmission of requests)
etc..
Try to catch if isset SERVER['HTTP_ORIGIN'] from the POST access, it must be identical to your domain. If so, then the POST is generated by yourselft website and it's safe to process it.
I am working on a web application that will be hosted on a server that is "on the internet", not a LAN.
The app uses quite a bit of AJAX calls and has about 12 ajax handler files for the functions.
My question is instead of asking anybody here to write a tutorial on AJAX security, does anybody know of any good resources (website, book, whatever) that can help me with securing these files.
Right now, as long as you know the variable name its looking for you can freely get data from the database.
I was thinking maybe session validation, or something along those lines for the logged in user.
Anyways if you have any good resources I'll do the homework myself.
Thanks
AJAX calls are generally used to access web services, which is what it seems you are using them for here. If that is the case then what you need to be concerned about is the security layer that you have provided in the server-side scripting language you are using (looks like you are using PHP as per your question's tags).
The same way that you do authentication and protection for other pages on your site that aren't accessed via AJAX calls you can implement for your web services. For instance, if you require authentication for your application then you can store the user's ID in $_SESSION. From there you can check to make sure the user is logged in via $_SESSION whenever one of your web services is requested.
I've often seen AJAX calls that check the X-REQUESTED-WITH HTTP header to "verify" that the request originated from AJAX. Depending on how you're sending your AJAX calls (with XmlHttpRequest or a JS library), you can either use the standard value for this header, or set it to a custom value. That way, you can do something similar to this in PHP to check if the page was requested with AJAX:
http://davidwalsh.name/detect-ajax
if( !empty($_SERVER['HTTP_X_REQUESTED_WITH']) &&
strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')
It is important to note that since it's an HTTP header, it can be spoofed, so it is by no means full-proof.
Here is a good resource. Securing Ajax Applications: Ensuring the Safety of the Dynamic Web
However a very simple method is to use a MD5 hash with a private key. e.g. USER_NAME+PRIVATE_KEY. If you know the users name on the website/login you can provide that key in an MD5 hash set to a javascript variable. Then simply pass the users name in your AJAX request and the REST service can just take the same private key plus the users name and compare the two hashes. You're simply sending across a hash, and the user name then. It's simple and effective. Virtually impossible to reverse too unless you have a simple private key.
So in your javascript you might have this set:
var user='username';
var hash='925c35bae29a5d18124ead6fd0771756'
Then, when you send your request you send something like this:
myService.php?user=username&hash=925c35bae29a5d18124ead6fd0771756&morerequests=goodthings
When you check it, in the service you would do something like this
<?php
if(md5($_REQUEST['user']."_privatekey")==$_REQUEST['hash']){
echo 'passed validation';
}else{
echo 'sorry charlie';
}?>
Obviously you would need to use PHP or something else to generate the hash with the private key, but I think you get the general idea. _privatekey should be something complex in the event you do have a troll that tries to hack it.
We are planning to deploy our GWT module as explained in
http://code.google.com/webtoolkit/doc/1.6/DevGuideServerCommunication.html#DevGuideRPCDeployment
under the section "Using Tomcat with Apache HTTPD and a proxy"
Basically, we configured Apache/PHP server to pass on the requests to a Tomcat/GWT server that match a part of the URL. That worked as expected.
Now we would like to pass the information of the currently logged in user from Apache/PHP to the GWT module.
My initial idea was to load the GWT module from a PHP page (by including it's nocache.js) and include a login token with it which the GWT module can read.
But I am not sure if it is safe to read a DOM value and consider that as a login token.
Any suggestions for what would be the best way to do it?
Thank you.
IMHO it is definitifly the best idea to use a login-token, that is passed from apache/php to your gwt project. To pass this token, you have three possibilities:
First one: You can pass your token using a cookie. Write your token into a cookie and read it again in your GWT-context:
import com.google.gwt.user.client.Cookies;
Collection<String> cookies = Cookies.getCookieNames();
An example on dealing with cookies from GWT you can find in the GWT-Showcase.
Second one: Instead of writing your token to a cookie, you can pass it with a HTTP GET and read this again within your GWT-context:
// returns whole query string
public static String getQueryString() {
return Window.Location.getQueryString();
}
// returns specific parameter
public static String getQueryString(String name) {
return Window.Location.getParameter(name);
}
This method is -IMHO- that one you should never ever choose!
Third one: Instead of a HTTP GET you can also use a HTTP POST. The HTTP POST is send to the server. So you have to handle the request on your server-side with a simple servlet. This can be implemented as singelton and so be readable from your GWT-server-context. This method is a bit complex and brings a lot of work, since you then have to pass your information back to the GWT-client-context.
Which version is the best for you, depends on the details of your project. Usually I would say, that the Cookie-Version is the best.
How to detect anonymous user like facebook does, when you open it throught proxy websites like hidemyass.com. I think its something related to proxy, but beyond I dont know anything about it, but I want to create that.
Most common way to detect proxy servers is by looking if these http headers fields are empty (if not, a proxy is used to access you're webserver):
HTTP_FORWARDED
HTTP:X-Forwarded
HTTP:Forwarded-For
HTTP:X-Forwarded-For
In PHP you can read these values with the getenv() function.
It is hard to say who is trying to hide his identity and who has limited/restricted access based on firewall rules etc. You can also check if user accept COOKIES by sending special token on first request and fetching on second.
I'm not sure how to describe this, but basically I have a PHP class file:
class HelloHello {
public function getSomeData($input_parameter){
// code to retrieve data from the database
}
public function deleteSomeData($input_parameter){
// code to delete data from the database
}
}
This class is on the server and is part of the backend that connects with a database, and it's meant to be accessed by the frontend SWF only (not to be directly accessed). I've setup Flex to read this class and access it. But how do I make sure that someone doesn't develop a script that can call this php file directly and access its methods? For example using a script to add data in a fast automated way, or use the delete method directly, ouch.
Is this a legitimate concern, or this can't be done?
If a user can view it through your flash application, the user can view it with his application. You could go through the [ugly] mess of trying to "secure" your script by introducing cookies and authentication and the like, but thats messy, and of course, it can be gone around.
Instead of trying to stop others from accessing your php file, focus on making it more secure.
If you know the url where swf runs, can't you just in PHP limit the requests to that url? Disregard all other requests.
You can secure your file by adding security and authentication. If you cannot do that (it is a public application) you should implement some techniques which can prevent specific situations: do not allow calling your script too many times per second from the same IP, add CAPTHCA in order to check that the entered data were from a human and not a machine and maybe another ones.
You could also implement a challenge-reponse security system that makes sure the client you use is actually the intended recpipient of the data. That way, you would embed a secret key into the SWF. The PHP app sends a one-time string, the client does something to it according to its secret and then sends the answer back -- which your server can validate and then continue to run.
For some basic mathematical foundations to this, there's quite some documentation online.