I am working on a music web app. I am adding a feature where there is a button next to each song to delete it from the database. The page will accomplish this by sending a parameter songId to a PHP page that will deal with it. Now, I want to prevent people being able to send POST requests to that PHP page from a remote server. What conditions can I check to restrict the POST request to originate from my music web app only, or localhost.
Asked
Active
Viewed 866 times
1 Answers
0
if($_SERVER['REMOTE_ADDR'] != '127.0.0.1' && $_SERVER['REMOTE_ADDR'] != '::1') {
exit('access denied');
}
However, this will not protect you against CSRF. To prevent a malicious website from creating a form that POSTs to your application when it's submitted (possibly automatically via JavaScript) you need to implement proper CSRF protection through a secret token an attacker website cannot know.
ThiefMaster
- 310,957
- 84
- 592
- 636
-
It also won't work if you're using a hostname that doesn't map to 127.0.0.1, e.g. the mDNS hostname. – Ignacio Vazquez-Abrams Jul 02 '12 at 22:31
-
When accessing it locally chances are good that the loopback interface is used though. – ThiefMaster Jul 02 '12 at 22:32
-
Thank you. If I told you that the web app page required a login, would they still be able to POST directly to the page? – Tuan Vo Jul 02 '12 at 22:43
-
1CSRF causes *you* to POST to the page, so that doesn't help. – Ignacio Vazquez-Abrams Jul 02 '12 at 22:53