0

I'm currently developing a forum-like website for the purpose of learning developing web applications and application security. Some part of the website is protected by credentials.

But there is a .php script that returns latest news. And my news.php (through javascript and jquery ajax) makes a request to return_news.php to get a json file of information about latest news. And at this point a problem arises. Anyone can send a request to return_news.php and display my data on their website. I want to make it so that only the files on my host can make requests to my endpoints or make data accessible only through my domain https://www.example.com and reject any request that comes from other origins.

What I've done:

I did some research on the internet. Read some articles about CORS and .htaccess file. But my host is on a cloud server and I don't think I have access to it. And I couldn't find a way of checking the current configurations for my hosting. The issue seems to be related to CORS but I couldn't find a detailed explanation on how to achieve my goal.

Summary: How can I configure my website so that the content is only available through my domain (e.g. https://www.example.com), my api responds to requests that originate from only my domain and my content can't be obtained by just a get request and displayed in another website?

Rookie
  • 175
  • 1
  • 4
  • 19
  • Look into PHP `$_SERVER[]` superglobal. Might help on the side of the news generating PHP script. – DeDee Jun 18 '19 at 14:53
  • @DeDee It is written on the internet that checks done with the $_SERVER global can be spoofed but I can't understand how. – Rookie Jun 18 '19 at 16:50

1 Answers1

1

By default browsers block the response of ajax requests to cross domains, for security reasons. This means that by default, any website from an other domain that creates an ajax request to your return_news.php will not get the response (although the request will be made).

There is also a HTTP header for specifying if you want to allow CORS or not. Thus in your case, just to be sure, you can set it at the top of your return_news.php file

header("Access-Control-Allow-Origin: https://www.example.com");

This instructs browsers to return the response only then the ajax comes from a page under the www.example.com domain.

You may check it by visiting any other domain page and test it on the javascript console, then check the network tab for more info.

fetch('https://www.example.com/return_news.php').then(function(response) {console.log(response);})
GramThanos
  • 3,572
  • 1
  • 22
  • 34
  • Thanks a lot this answers the question. One more thing. These headers specify how browsers work right? Because when I send my js file to another computer, the request is no longer generated from my host but by that computer. So in reality the request does not generate from my domain(or my machine). But the browser can figure out a user is on my domain and accept the result. Do I understand it right? – Rookie Jun 24 '19 at 07:18
  • If I understand correctly your question, yes. Your server delivers content based on the http protocol, the browser loads that content and is responsible for interpreting it (render the html on your page, execute the javascript) based on the html/js/css standards. Your server tries help and work with the browser by setting headers (the browser also set headers to help the server). On the other hand, the browser wants to protect the user, and keep each webpage on a sandbox, thus, it apply limits on CORS. You can view all the communication on the network tab of the developer tools (headers too). – GramThanos Jun 24 '19 at 13:58