3

We have REST API that we want only our domain has access to and that spoofed requests are not sent. To do so, the only thing coming in my mind was checking the referer $_SERVER['HTTP_REFERER']. However the docs say that:

The address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted.

So let's say our main API requests/gate file is:

www.example.com/api/gate.php

How do I make it secure so that only requests from own domain are served and all other disregarded. I have read a little about http authentication and seting up private keys or secret but I am looking for a simple way so only our own domain can send requests to that file. Thanks

Dev555
  • 2,128
  • 4
  • 30
  • 40

4 Answers4

5

As already stated, HTTP_REFERRER and REMOTE_ADDR could be potentially spoofed, and thus can't be trusted to implement said functionality. Also keep in mind that in a shared hosting context other accounts in the same server also have the same IP.

A quick solution could be to use Basic Authentication to authenticate the requests to the API. This won't filter by IP or referrer URL/IP but will ensure that requests come from a trusted source.

In a Apache environment setting up Basic Authentication is as easy as creating the .htaccess and .htpasswd files, and putting them in the root directory of your API.

You can create both files using the following generators:
.htaccess generator
.htpasswd generator

After setting up Basic Authentication, authenticating your requests in PHP is as easy as accessing your API in the following fashion:

username:password@example.com

So no extra code needs to be developed to set any headers to authenticate your requests. Anyone accessing the URL will be prompted for credentials, denying access if authentication fails.

enter image description here

Telmo Marques
  • 5,066
  • 1
  • 24
  • 34
2

I believe that the HTTP_REFERRER and REMOTE_ADDR are just sent in the request headers, meaning they can be spoofed. If your site is on the internet and you want to restrict access to it, this is not the way to do it. Full authentication is necessary, using credentials.

If you don't want to set up authentication or keys, you could just host it on your companies LAN.

Telmo Marques
  • 5,066
  • 1
  • 24
  • 34
dm03514
  • 54,664
  • 18
  • 108
  • 145
  • Agreed. Setting up basic authentication only takes a couple of minutes and authentication can be done directly in the URL by using `username:password@example.com` – Telmo Marques Apr 09 '12 at 15:24
  • @TelmoMarques: Can't anyone see those credentials in urls and then send spoofed requests – Dev555 Apr 09 '12 at 15:27
  • @Dev555 what I meant was that authentication can be done directly in the URL, meaning no extra code needs to be developed to authenticate a request. Accessing the URL without any credentials will just prompt the user to provide them, denying access if authentication fails. – Telmo Marques Apr 09 '12 at 15:29
2

Wouldn't a simple .htaccess in the public_html/api subfolder that allows access to localhost only do the trick?

order deny,allow
deny from all
allow from 127.0.0.1

or, if you only ever access the gate.php file and need other files in the folder to be accessible you could just target the one file 

<files "gate.php">
    order deny,allow
    deny from all
    allow from 127.0.0.1
</files>
Crisp
  • 11,417
  • 3
  • 38
  • 41
0

There is also $_SERVER['REMOTE_ADDR'] which would be less likely to be spoofed.

Is it safe to trust $_SERVER['REMOTE_ADDR']?

Community
  • 1
  • 1
Dan Roberts
  • 4,664
  • 3
  • 34
  • 43