0

I'm interested in what might be the options for securely implementing a dead simple API that allowed websites to register on my site, receive and copy the unique HTML form to their website that would ultimately post to my API.

E.g.:

  1. A church at URL: www.church.com buys 5 submits of my service.
  2. I provide that church a HTML form that they then copy into their website.
    2b. The form would post back to my API/URL with an unique key specifying it's coming from www.church.com (key=1234)

<form action="https://www.example.com/myCustomAPIService.php?key=1234" method="post">
  First name: <input type="text" name="fname"><br>
  Last name: <input type="text" name="lname"><br>
  <input type="submit" value="Submit">
</form>

What would prevent say another organization from copying the HTML to their site?

Would checking $_SERVER["HTTP_REFERER"] solve this problem?

user1040259
  • 6,369
  • 13
  • 44
  • 62
  • [`$_SERVER["HTTP_REFERER"]` IS NOT RELIABLE](http://stackoverflow.com/questions/6023941/how-reliable-is-http-referer). See [here](http://security.stackexchange.com/questions/32299/is-server-a-safe-source-of-data-in-php) for more options. – Dipen Shah Dec 21 '15 at 21:51
  • referers are not, never have been, and never will be, a "security system". they're "hello my name is" tags and can contain **ANYTHING** the user wants. – Marc B Dec 21 '15 at 21:51

1 Answers1

2

You cant rely on anything coming from the user, so there is no 100% secure way using HTML only.

You need some secret. For example:

  1. Church.com send request to your web server with secret key for temporary public key for every HTML form it generates
  2. Church.com create HTML form with this temporary key
  3. User send form with this temporary key to your site
  4. You will check temporary key if it is valid

Or:

  1. church.com create html form
  2. User send form to church.com
  3. church.com send values from this form to your website with his secret key

etc.

Petr
  • 1,159
  • 10
  • 20