$_SERVER['HTTP_ORIGIN'] doesn't work

Question

When I use $_SERVER['HTTP_ORIGIN'].

echo $_SERVER['HTTP_ORIGIN'] ;

Return Notice: Undefined index: HTTP_ORIGIN in D:\xampp\htdocs\safe\test.php on line 12

What is Wrong?!

`What is Wrong?!` Using HTML snippets to display PHP code is wrong. — Praveen Kumar Purushothaman, Dec 19 '16 at 21:18
It just mean that the `Origin` header has not been provided when the page was requested. — Federkun, Dec 19 '16 at 21:19
what are you using it for? perhaps we can suggest an alternative approach. — , Dec 19 '16 at 21:21
It's because your browser not send origin request. so the php not send response the origin. — FSodic, Jan 12 '21 at 00:58
use `if(isset($_SERVER['HTTP_ORIGIN'])){ echo $_SERVER['HTTP_ORIGIN']; }` — FSodic, Jan 12 '21 at 00:59

score 10 · Answer 1 · edited Feb 05 '23 at 22:22

10

The Origin header isn't sent by all browsers.

Depending what you're trying to do, another option is to use the Referer header:

echo $_SERVER['HTTP_REFERER'];

By the way, note that request headers are ultimately controlled by the user, so can't be fully trusted.

edited Feb 05 '23 at 22:22

ruakh

175,680
26
273
307

answered Dec 19 '16 at 21:19

Praveen Kumar Purushothaman

164,888
24
203
252

7

as long as you dont trust HTTP_REFERER as it is set by the browser. can be faked, or often emptied by various software for security – Dec 19 '16 at 21:20
More Info Here about it http://stackoverflow.com/questions/4566378/how-secure-is-http-origin – chop62 Dec 19 '16 at 21:21
@Dagon I demand an upvote! `:P` *just kidding, as this is as bad as asking money to strangers* – Praveen Kumar Purushothaman Dec 19 '16 at 21:23
@Dagon Why extra software dude? Why not Firebug, Developer Tools? They are capable of emulating, simulating, confusing, collapsing and finally, crashing the server. – Praveen Kumar Purushothaman Dec 19 '16 at 21:24
I meant some software a user may run may automatically empty it. i have seen various "internet security" software people run on their PC do this. – Dec 19 '16 at 21:27
@Dagon Even I am doing it. OWASP? TamperHTTP? There are 1000s. But what I meant was, even the Chrome F12 Dev tools are capable of doing it. – Praveen Kumar Purushothaman Dec 19 '16 at 21:28
1

i think we agree. – Dec 19 '16 at 21:31
I use a SoapClient to another server and I want know Who's request – Dec 20 '16 at 09:29
@smko SOAP Client huh? You need to provide more information dude. – Praveen Kumar Purushothaman Dec 20 '16 at 14:04
I want to each site, which will be submitted information related to the site . But I know exactly the same site that will be submitted, and it is not Api someone else ? – Dec 20 '16 at 20:31
3

@PraveenKumar Please review this answer, or even delete it, as it's misleading. – Pedro Lobito Feb 21 '18 at 09:50
@PedroLobito Sure, thanks for getting this to me... `:)` – Praveen Kumar Purushothaman Feb 21 '18 at 10:01
1

@PedroLobito I guess either if you can update the answer as per the latest standard, or I'll just delete it... :) – Praveen Kumar Purushothaman Feb 21 '18 at 10:05
1

@PraveenKumar There never was a secure way of using `HTTP_REFERER` as it can be easily spoofed. I'd delete the answer. – Pedro Lobito Feb 21 '18 at 23:36
How is either header "insecure"? Sure, they can be spoofed by a client, but they can't be overidden by browsers as they are [forbidden headers](https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name), which is good enough for many use cases. This answer needs to clarify that. – Sumit Oct 17 '22 at 18:57
@Sumit You know that the answers are licensed under CC BY-SA. You can very much [edit] and update it and I would have happily accepted it rather than complaining. It is this quality that makes a better leader. Anyway, thanks, I've updated it. – Praveen Kumar Purushothaman Oct 17 '22 at 23:06

$_SERVER['HTTP_ORIGIN'] doesn't work

1 Answers1

Linked