0

How can I ensure that a https post is from a given domain? Consider the following setup: A webpage on the frontend server, for example https://www.frontend.com/index.php sends a https post redirect to a webpage on a backend server, for example https://www.backend.com/index.php

Now the backend wants to verify that the post is really from https://www.frontend.com/index.php .

(If the post is not from the frontend server, it should be rejected showing an error message.) How can this be done in php? (as seen from the URLs above I am using SSL)

Håkon Hægland
  • 39,012
  • 21
  • 81
  • 174
  • `$_SERVER['HTTP_REFERER']` but I would pass a token to make sure. – Popnoodles Jun 17 '14 at 18:40
  • @Popnoodles But cannot another site (not frontend) just set this variable `$_SERVER['HTTP_REFERER']` to the frontend URL, pretending it is the frontend server? See: http://security.stackexchange.com/questions/32299/is-server-a-safe-source-of-data-in-php – Håkon Hægland Jun 17 '14 at 18:44
  • Yes which is why I'd pass a token that only those two sites know how to generate. – Popnoodles Jun 17 '14 at 18:46
  • Ok I see :) Thanks. I wondered if there were some other mechanisms that could be used, since I am using SSL. – Håkon Hægland Jun 17 '14 at 18:46
  • That said there is probably a proper way to do it using CURL and credentials. I don't know about this though, so hopefully someone will help you out. Possibly SOAP does this. – Popnoodles Jun 17 '14 at 18:48

1 Answers1

1

A common technique here would be to use request signing. In short it uses a shared secret (a "password") to hash certain parts of the request to create an authentication token. For example, see here.

Specifically for SSL though, you may also use client-side certificates, in which the client sending the request proves his identity. SSL enables mutual authentication, it doesn't have to be one-sided as it typically is.

Community
  • 1
  • 1
deceze
  • 510,633
  • 85
  • 743
  • 889