how to prevent access file from curl use php

Question

Here I have a problem with curl request.

I want to block it in few files.

Here is my code on server

MyFile.php

Class MyFile {
    public function getName() {
        return "hi";
    }
    public function getBday() {
        return '01-01-1970';
    }
}

$my = New MyFile();
return json_encode($my->$_GET['functionName']());

localhost/test/MyFile.php?functionName=getName

Output: hi

localhost/test/MyFile.php?functionName=getBday

Output: 01-01-1970

I'm running that file in AJAX and for security, I'm using JWT tokens as Authorization header in AJAX request.

That thing is working fine.

But while I try to access that file via curl from another website. then it is also responding a data. but I have to prevent it.

AnotherServerFile.php

<?php
$header = array();
$header[] = 'Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpYXQiOjE1MTk2NTA4NjMsImp0aSI6InQ4OTU3RjBIbE1yQ21UREdUdTNCK0VZdUFsTVZRZUZhNHhnckRyMzRnNXc9IiwiaXNzIjoibmlldHdhY2h0ZW4ubmwiLCJuYmYiOjE1MTk2NTA4NjMsImV4cCI6MTUxOTY1MjY2M30.wN7MA782ix-ln8uKlGNsc-oxMxJNa3hfmY9GjzhVeFhEZm5IJOMd0PU8ppUxDU9_yDGcbKsuPzNzCh6CmPQ1qA';
$header[] = "X-Requested-With: XMLHttpRequest";
$service_url = 'localhost/test/MyFile.php?functionName=getName';
$curl = curl_init($service_url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); //IMP if the url has https and you don't want to verify source certificate
$curl_response = curl_exec($curl);
$response = json_decode($curl_response);
curl_close($curl);

var_dump($response);

this file is on another server. like

example.com/AnotherServerFile.php

And AnotherServerFile.php file can access my MyFile.php's code via cURL.

So, I want to prevent the use of AnotherServerFile.php accessing MyFile.php

Any help will be appreciated.

So what are the exact rules of what requests are allowed and what requests are not? — Patrick Q, Feb 26 '18 at 18:50
@PatrickQ i want the requests only came from server. i want to restrict it from to use MyFile.php from another server — Nirav Joshi, Feb 26 '18 at 18:59
If the `AnotherServerFile` is on an other server, preventing [CORS](https://ma.ttias.be/set-access-control-allow-origin-cors-headers-apache-vhost-htaccess/) should do the job I think. — Anthony, Feb 26 '18 at 19:00
@AnthonyB No, the curl request can specify the `Origin` header. — Patrick Q, Feb 26 '18 at 19:02
@AnthonyB i already tried it.. but i want to prevent it from CURL — Nirav Joshi, Feb 26 '18 at 19:03
@NiravJoshi If you cannot be more specific about the requests that you want to prevent, then you're going to have a really hard time doing this. A cURL request can easily present itself to look like a browser. There is really nothing special about cURL requests that inherently differentiate them from any other. If the remote server has access to your authorization tokens, then you're pretty much boned. — Patrick Q, Feb 26 '18 at 19:05
What about using some encryption? It's perhaps heavy, but your client will be the only one to be able to communicate with the server. — Anthony, Feb 26 '18 at 19:09
@PatrickQ So is there anything which i should make change in MyFile.php code? — Nirav Joshi, Feb 26 '18 at 19:14
@PatrickQ i m passing authorization token in ajax request as a request header. so anyone can see it. so either i have to prevent cURL or i have to pass Authorization token as some hidden manner. do you have any idea of it? — Nirav Joshi, Feb 26 '18 at 19:15
Browsers are HTTP clients. cURL is an HTTP client. You can't reliably distinguish between them. If you give a browser the information needed to successfully make a request, then the operator of that browser can do all the same things with cURL. — Quentin, Feb 26 '18 at 19:18
So, is there any other technique from where i can pass authentication header as hidden via ajax.. (can't be view by user via firebug / Inspect Element) — Nirav Joshi, Feb 26 '18 at 19:25
@NiravJoshi "so anyone can see it." That's what SSL is for. See also [this](https://stackoverflow.com/questions/27067251/where-to-store-jwt-in-browser-how-to-protect-against-csrf), [this](https://stormpath.com/blog/jwt-the-right-way#how-to-secure-jwt), [this](https://connect2id.com/products/nimbus-jose-jwt/vulnerabilities) and [this](https://stackoverflow.com/questions/27301557/if-you-can-decode-jwt-how-are-they-secure). — Patrick Q, Feb 26 '18 at 19:26

how to prevent access file from curl use php

0 Answers0