1

I have an API checking from what IP the calls are made with php REMOTE_ADDR.I want to whitelist all calls from IP adress "A".

Let's says I have an ajax call to myapi.com/controller/action/, with an AJAX js file hosted on a server with IP "A". The user has an IP "B".

Since the javascript is interpreted by the user browser, I was wondering if my REMOTE_ADDR check in my API would be IP "A" (server where the javascript file is hosted), or IP "B", IP of the user.

Thanks a lot for your help !

user2994286
  • 27
  • 3

2 Answers2

4

It would be the IP of the user.

AlliterativeAlice
  • 11,841
  • 9
  • 52
  • 69
  • Dammit ! Is there a way in PHP to whitelist all JS/AJAX calls from a specific server IP (not user ?) – user2994286 Nov 14 '13 at 23:31
  • 1
    You could mask your AJAX calls through a proxy on your app server. For instance call myapp.com/api/controller/action which just proxies (via your PHP code) to myapi.com/controller/action. That way all calls will originate from your server instead of the user. – Nick Mallare Nov 14 '13 at 23:33
  • 1
    @user2994286 The servers that have the Javascript on them don't make any Requests. So no. See my answer ;) – Johannes H. Nov 14 '13 at 23:33
  • Perhaps by checking HTTP_REFERER? – AlliterativeAlice Nov 14 '13 at 23:33
  • @AlliterativeAlice As that header is set by the client, its way to easy to spoof to be a reliable source for anything. – Johannes H. Nov 14 '13 at 23:34
  • @JohannesH. A client could spoof it manually, but it couldn't be spoofed by JavaScript code on a webpage executed by a browser, which is likely the issue here. – AlliterativeAlice Nov 14 '13 at 23:36
  • @AlliterativeAlice Sure it could. a) can a user modify the whole Javascript code if she likes to. b) do many modern browsers offer the ability to send no referrer at all - and this, of cours, applies to all requests made by the browser, through JS or not. – Johannes H. Nov 14 '13 at 23:37
  • The thing is that my client can only be JS (no PHP), and I can't figure out out to secure API calls (they return JSON that should no be used by other apps) – user2994286 Nov 14 '13 at 23:37
  • @user2994286: Require credentials or some sort of API key. Include that key in your scripts. Others can copy it, of course, so it'S really just security by obscurity. But better than none. – Johannes H. Nov 14 '13 at 23:38
  • My question is : Since the javascript is not hidden, what can prevent another app from using the key ? (EDIT : see you addressed this in your answer). So basically it is impossible to do "secret" api calls in JS ? – user2994286 Nov 14 '13 at 23:39
  • @JohannesH. The USER could do it themselves, but someone couldn't include code on their page/app that would cause the user to (unintentionally) make a request to an API with a spoofed referrer. – AlliterativeAlice Nov 14 '13 at 23:39
  • So basically it is impossible to do "secret" api calls in JS ? I don't want other websites to be able to get my JSON data (which they can do with a public key, PLUS I can't restrict calls to a specific IP). (The thing is that my client can only be JS, no PHP) – user2994286 Nov 14 '13 at 23:42
  • @AlliterativeAlice Ah. Got you now. Yep, ok, agreed. – Johannes H. Nov 14 '13 at 23:43
  • @JohannesH. You can't set the referrer header on any mainstream browser. See: [changing the referrer of an Ajax POST](http://stackoverflow.com/questions/8231366/changing-the-referrer-of-an-ajax-post) – AlliterativeAlice Nov 14 '13 at 23:44
  • @AlliterativeAlice Yes, I just tried it because I wasn'T sure. Changed my edit - seems like it was too late though ;) You were right the whole time, I just didn't get your point I guess. No offense meant! – Johannes H. Nov 14 '13 at 23:46
1

It's the IP of the user, obviously.

REMOTE_ADDR names the IP of the computer that sent the request to the webserver. As the Javascript is edxecuted in the users browser, it's that browsers that makes the connection to the server and sends the HTTP request - so your server only sees that URL. It's the only computer your server communicates with ;)

Your server has no knowledge about what other calls the users browser made (for example to get the Javascript). How should it? It wasn't involved in that communication.

Johannes H.
  • 5,875
  • 1
  • 20
  • 40