1

Suppose X.com will send a post request to Y.com How Y know that the sender is X? Without the url query string course.

$_SERVER['HTTP_REFERER'] of http://php.net/manual/en/reserved.variables.server.php seems not the answer. The documentation it self says "it cannot really be trusted".

Should it use key & secret key parameter?

jvs
  • 53
  • 2
  • 5
  • What are you using it for? Because the referrer is specified by the party making the request, they can set it to whatever their heart desires. – wolfemm Nov 14 '14 at 23:33
  • They cannot know for sure anything more than the client's IP address, and even that is not too useful in a world where proxies exist. – Jon Nov 14 '14 at 23:36
  • @wolfemm , I want to make X as a data server which the data will be accessed by multiple sites (Y.com or Z.com). It will provide json as the result of request. Sometimes, there is sensitive data that others domain outside of Y & Z should not be able to request – jvs Nov 15 '14 at 00:00

1 Answers1

1

Send a secret value across with your request, such as a key which you can check for in your script on X.com

Y.com:

$secret = 'SECRET_KEY';

X.com:

if(!empty(htmlentities($_POST['secret'])) {
    if(htmlentities($_POST['secret']) == 'SECRET_KEY') {
        //Request came from Y.com
    }
}
DrRoach
  • 1,320
  • 9
  • 16
  • Yes, sending key and secret key seems the best way. @drroach , Would you extend your answer? So it would be more useful if there are other users who google here. – jvs Nov 15 '14 at 00:09
  • 1
    @jvs while implementing this, bear in mind that AJAX (since the question is tagged ajax) complicates things a little, as users can just monitor the requests sent and grab the secret. I'd suggest researching CSRF token implementations. – wolfemm Nov 15 '14 at 00:20
  • @wolfemm , yes, it would be requested both via regular post and ajax. Would you make an answer? – jvs Nov 15 '14 at 00:32