0

I have the following code to display secret content on a publically accessible webpage. This secret content is to only be seen by people 'sitting behind' 1-3 specific IP addresses. I've had a go with the code below using just $_SERVER['REMOTE_ADDR']and it works, I've previously read that people also use: HTTP_X_FORWARDED etc, and that:

If relying on IP addresses for something mission critical, resort to REMOTE_ADDR and don't bother catering to those behind a proxy.

Is it secure to just use $_SERVER['REMOTE_ADDR'] to display 'secret content' based on IP address? 

$allowed_ips = array(
    '111.222.333.444',
    '555.666.777.888',
    '999.111.222.333'
);

if (in_array($_SERVER['REMOTE_ADDR'], $allowed_ips))
{
    echo 'this is secret stuff only for certain IPs';
}
Community
  • 1
  • 1
Metzed
  • 470
  • 1
  • 8
  • 27
  • Well, it works. You could also let the web server handle it directly; but whether that's "better" or not depends. – deceze Jun 28 '13 at 10:16
  • Your current code is fine. Adding additional checks for other headers, such as `HTTP_X_FORWARDED_FOR`, will make it less secure, not more so. –  Jul 01 '13 at 06:07
  • I've used code exactly this to include some management links on pages on my public web site. Nothing critical, but things I'd rather were not visible to anyone except myself. But I've recently had a thought... isn't there a possibility that unless you disallow it, a cache may hold the page containing the secret content, and send it to any other client that requests the same page? Even though that client isn't one of the allowed IPs? – Simes Jan 28 '17 at 15:13

0 Answers0