0

how can i secure the content of a php page to access it only with a curl request of a specific server? It should not be possible to get the content in a browser with a request like "https://cms.domain.com/home", but if I create a Zend Client on a specific server it should be possible to get the content.

Is it possible to check the referer or something else?

$adapter = new Zend\Http\Client\Adapter\Curl();
$client = new Zend\Http\Client();
$client->setAdapter($adapter);

$client->setMethod(\Zend\Http\Request::METHOD_GET)
    ->setUri('https://cms.domain.com/home');

$response = $this->client->send();
Dominik Barann
  • 675
  • 2
  • 10
  • 25

3 Answers3

0

It's not so simple because according to HTTP protocol request is by definition independent from other request.

HTTP_REFERER is simple to fake and not always present.

More information you can find under:

How to check if a request if coming from the same server or different server?

Valvadis
  • 70
  • 10
0

If you find a short way, I would then say no!

The one and only reliable solution is to use OAuth2 protocol to restrict your API https://cms.domain.com/home. Because Google, Facebook, Twitter use OAuth2 for their APIs.

Therefore, you need to create an RESTful application. A typical RESTful web service will use HTTP to do the four CRUD (Create, Retrieve, Update, and Delete) operations. Meaning you can operate those four operations to different endpoints of your api like https://cms.domain.com/v2/api/oauth, https://cms.domain.com/v2/api/etc for example.

As you are using Zend\Http\Client as a client to handle your api then yon need an server for authentication which is OAuth2 server. Here you can get OAuth2 Server Library for PHP by Brent Shaffer.

You can also use OAuth2 server from php league.

Another option is Zend Framework's Apigility which is very useful if you need to get an OAuth 2.0 API up and running. Check out their doc for the implementation please!

unclexo
  • 3,691
  • 2
  • 18
  • 26
0

You can check User Agent on HTTP Request. Here the example of cURL User Agent: curl/7.37.0.

So, you can check at onBootstrap(MvcEvent $mvcEvent) if the user agent not curl/*, the request will be rejected.

class Module
{
    public function onBootstrap(MvcEvent $event)
    {
        $headers = $event->getRequest()->getHeaders();
        $userAgent = $headers->get('User-Agent');
        if (is_null($userAgent) || preg_match("/^curl\/.*/", $userAgent->getFieldValue() !== 1) {
            $response = $this->getResponse();
            $response->setStatusCode(400);  // give bad request status
            $response->sendHeaders();
            $stopCallBack = function($mvcEvent) use ($response){
                $mvcEvent->stopPropagation();
                return $response;
            };
            //Attach the "break" as a listener with a high priority
            $event->getApplication()->getEventManager()->attach(MvcEvent::EVENT_ROUTE, $stopCallBack,-10000);
            return $response;
        }

    }
}

If you want, you can add some like security token to make restriction better.

Dolly Aswin
  • 2,684
  • 1
  • 20
  • 23
  • To be completely honest, what if I am the client or you are the client as we know the endpoint for the api. Can we make a curl request from anywhere to access that type of endpoint? So it is open to all, isn't it? – unclexo Jul 01 '17 at 15:34
  • Yes, it's open. And my answer is based on the question. But, I also give suggestion to use security token to make restriction. – Dolly Aswin Jul 01 '17 at 15:49