1

Most third party services that allow you to add something to your website like widgets or analytics, make you copy a script with a public key (or some variation of that) and request the rest from the back-end.

<script>
  window.publicKey = 1
</script>
<script src='domain.com/publicWidget'></script>

So you make an account, you set up everything, embed the code, thing appears on your website.

If no information from the client can be trusted, what stops someone from just copying the script on their website ? How do you make sure that only your users can use it ?

Is there a 'safe/secure' way in PHP to check if a request comes from a domain you trust/allow ?

RDU
  • 812
  • 1
  • 9
  • 22
  • 2
    Chances are, in the backend of the analytics tool, the API key or whatever you have to put into the script to identify it, is associated with a specific website domain (I'd expect this is set when you configure the analytics system). So if the backend then receives data associated with a different domain, it would realise there's a problem. – ADyson Mar 17 '23 at 11:14
  • @ADyson Right, so I let users add their domains to the account settings, but then, is there no way for someone to make a request from another domain, and make it appear that it comes from a different one ? – RDU Mar 17 '23 at 11:19
  • 1
    Well you can see the IP it comes from, although if the data comes from the browser side that's not a lot of help. If the widget is making requests to send data to the analytics backend via AJAX, I expect it would be cross-domain and therefore subject to CORS restrictions, so that's a simple way you can enforce, on the server-side, the source domains which are allowed to make requests to the backend. – ADyson Mar 17 '23 at 11:29
  • 1
    And that should be safe on the whole - a bit of background info [here](https://stackoverflow.com/questions/21058183/whats-to-stop-malicious-code-from-spoofing-the-origin-header-to-exploit-cors). It's not outright security in the traditional, as that answer says but it is a guardrail and ought to do the job for what you need. If you want to protect against the scenario where someone decides to spoof requests to your backend from a non-browser client, you'd have to look at things like rate limits, IP blocking and so on to try and mitigate that, just like any API service really. – ADyson Mar 17 '23 at 11:31

0 Answers0