-3

I'm using this code for my api application.

//send.php
$url = 'http://example.com/api/';
$ch = curl_init($url);
$jsonData = array(
    'username' => 'MyUsername',
    'password' => 'MyPassword'
);
$jsonDataEncoded = json_encode($jsonData);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonDataEncoded);

//Set the content type to application/json
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json')); 

//Execute the request
$result = curl_exec($ch);

I can allow only POST method request and check content type set to application/json. How can I allow access API only using HTTPS?

   //receive.php  
        if(strcasecmp($_SERVER['REQUEST_METHOD'], 'POST') != 0){
            throw new Exception('Request method must be POST!');
        }

        $contentType = isset($_SERVER["CONTENT_TYPE"]) ? trim($_SERVER["CONTENT_TYPE"]) : '';
        if(strcasecmp($contentType, 'application/json') != 0){
            throw new Exception('Content type must be: application/json');
        }

        $content = trim(file_get_contents("php://input"));
        $decoded = json_decode($content, true);
        if(!is_array($decoded)){
            throw new Exception('Received content contained invalid JSON!');
        }

thanks

cloude
  • 338
  • 5
  • 18

1 Answers1

0

Thanks,

Added this code in receive.php.

I have send.php (on server without https connection) and receiving.php (on server with https connection)

The results is: 'https'

Instead I need to check connection from send.php

   $https = !empty($_SERVER['HTTPS']) && strcasecmp($_SERVER['HTTPS'], 'on') === 0 ||
            !empty($_SERVER['HTTP_X_FORWARDED_PROTO']) &&
                strcasecmp($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') === 0;

    echo ($https) ? 'https://' : 'http://';
cloude
  • 338
  • 5
  • 18