How to tell if a request comes from browser or server?

Question

Is there a reliable way to tell if a request to your site came from a server-to-server call vs a browser url call?

For example, Paypal IPN is a server-to-server call. But you could also fake it by calling it direct from a url with parameters from your browser.

I tried both ways and dumped $_SERVER in both cases and there were a few variables that were set for the browser that weren't set for the server-to-server call... namely

HTTP_COOKIE
HTTP_CACHE_CONTROL

They don't exist on the server-to-server call. Can I reliably assume that to always be the case?

I could use the HTTP_USER_AGENT but that can be anything, and I don't want to check REMOTE_ADDR because I'm trying to make this more of a dynamic change, not limited to paypal or any specific server side reply. My assumption is that the lack of "common browser" values would be missing for server side calls. It may not be 100% reliable but maybe 99%

This will ultimately determine if I use a php header redirect or a javascript redirect on the callback page.

thoughts?

Answer 1

Is there a reliable way to tell if a request to your site came from a server-to-server call vs a browser url call?

No there isn't a 100% reliable way. If the user can get hold of the right parameters, he / she can easily fake a "server to server" request using a web browser or a simple custom application.

The only real (hard core) defence against faking would be to use a combination of HTTPS and either client certificates or some kind of security token that is sent as part of the request.