6

I have written several PHP web services where I pass in arguments via the URL. To prevent unauthorized access, I pass in a unique key as one of the arguments. I call the PHP file via HTTPS, and I am wondering if there's a way I can prevent the script from running if HTTPS is not used.

Quentamia
  • 3,244
  • 3
  • 33
  • 42
  • 2
    Note that if you're making the browser send some secret token to your service, it's not as much what the server accepts that you should worry about, but what the client sends. If your server is also listening in plain HTTP on that same address and the client makes the request to that by mistake, it could be intercepted and reproduced by an attacker, over HTTPS this time (similar problem as not using secure cookies). – Bruno Sep 16 '10 at 18:28
  • Also see http://stackoverflow.com/a/28891745/632951 – Pacerier Mar 06 '15 at 03:11

5 Answers5

8

Slightly off topic, but if you're using PHP with Apache Httpd and mod_ssl, you can force SSL access to files (and PHP scripts) by placing the SSLRequireSSL directive in .htaccess or in the Directory configuration.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 1
    +1, solving the problem at the root. Even better would be to not even listen to port 80 on that address. – Wrikken Sep 16 '10 at 18:58
4
if(empty($_SERVER['HTTPS'])) {
    // ....
    exit;
}
Paolo Bergantino
  • 480,997
  • 81
  • 517
  • 436
  • This [**doesn't work**](http://php.net/manual/en/reserved.variables.server.php#refsect1-reserved.variables.server-indices) on IIS. – Pacerier Mar 06 '15 at 00:10
1

To clarify: You want that a client doesn't call a url containing a secret token over a non-encrypted connection, is that right? If so, then the problem is mainly not with you, but with the browser of the client. You may redirect the client to a secure connection if he isn't using one yet, but even if you do so the client already made an insecure, interceptable request to your server, before he get's redirected!

Mozilla is making an effort to solve this problem. As of Firefox 4 a server may send a Strict-Transport-Security header which will prevent an unencrypted access subsequently (though obviously before the header was sent an unencrypted access could still happen.)

Further reading at hacks.mozilla.org

NikiC
  • 100,734
  • 37
  • 191
  • 225
0

If you are using Apache, you could use mod_rewrite to redirect http requests to be https ones.

For e.g. This is what we use:

RewriteCond %{HTTPS} !=on
RewriteRule ^account(.*) https://%{SERVER_NAME}/account$1   [R=301,L]

This redirects http://domain/account to https://domain/account

letronje
  • 9,002
  • 9
  • 45
  • 53
  • How does this prevent the URL (and its secret token) from being sent to the plain HTTP server before rewrite? – Bruno Sep 16 '10 at 18:32
  • @Bruno: True, this doesn't prevent the secret token from being sent. Wrong answer :) – letronje Sep 16 '10 at 18:49
0

You can prevent the server responding to an unencrypted request, but you cannot prevent the client sending it, which is just as bad for password security. And that is not by far the worst problem with putting a secret token in the URL: it remains in the browser history, it can be seen in the referer when the user leaves your site, and any website the user visits can launch a brute-force or dictionary attack via the :visited CSS pseudo-class. All in all, it is a pretty horrible idea - you are better off using SSL-only cookies.

Tgr
  • 27,442
  • 12
  • 81
  • 118