Mixing
how can I make sure that the origin of the request to my server is legit?
I am developing a web application where I have to make sure the provided origin of the request trough http headers is correct?
let's say I am expecting a request from example.com, the only way to check request origin(as domain) is trough provided request headers as far as I know, I know that I can control the access to the server trough "Allow-Access-Control-Headers:"example.com"" header but what is preventing example2.com putting a origin header that says the request is coming from example.com?
php apache web server cors
asked Jan 2 at 18:27
Akil DemirAkil Demir
104
add a comment |
I am developing a web application where I have to make sure the provided origin of the request trough http headers is correct?
let's say I am expecting a request from example.com, the only way to check request origin(as domain) is trough provided request headers as far as I know, I know that I can control the access to the server trough "Allow-Access-Control-Headers:"example.com"" header but what is preventing example2.com putting a origin header that says the request is coming from example.com?
php apache web server cors
asked Jan 2 at 18:27
Akil DemirAkil Demir
104
add a comment |
I am developing a web application where I have to make sure the provided origin of the request trough http headers is correct?
let's say I am expecting a request from example.com, the only way to check request origin(as domain) is trough provided request headers as far as I know, I know that I can control the access to the server trough "Allow-Access-Control-Headers:"example.com"" header but what is preventing example2.com putting a origin header that says the request is coming from example.com?
php apache web server cors
asked Jan 2 at 18:27
Akil DemirAkil Demir
104
I am developing a web application where I have to make sure the provided origin of the request trough http headers is correct?
let's say I am expecting a request from example.com, the only way to check request origin(as domain) is trough provided request headers as far as I know, I know that I can control the access to the server trough "Allow-Access-Control-Headers:"example.com"" header but what is preventing example2.com putting a origin header that says the request is coming from example.com?
php apache web server cors
php apache web server cors
asked Jan 2 at 18:27
Akil DemirAkil Demir
104
asked Jan 2 at 18:27
Akil DemirAkil Demir
104
asked Jan 2 at 18:27
Akil DemirAkil Demir
104
asked Jan 2 at 18:27
Akil DemirAkil Demir
104
asked Jan 2 at 18:27
Akil DemirAkil Demir
104
104
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
unfortunately you cant, as it can be faked easily. if you application requires top notch security then i suggest you look into AUTH tokens
answered Jan 2 at 18:38
Sourabh SwarnkarSourabh Swarnkar
58113
That was the first thing that I thought but this would require a manual process(I have to share the token with client manually to actually know that this the client that I want) this is why I started to look another ways but It seems I have no other choice but manual process. Thanks!
– Akil Demir
Jan 3 at 9:34
If auth looks too complicated then try sessionless JWT tokens. Its simpler then auth and effective. If your api calls is from some website then you can easily validate three things simultaneously i.e. Ip address of the server calling ur api, request origin, and domain name. All these details can be inserted in your jwt tokens. However if you api calls are through some mobile app then it becomes complicated to check.. In my current apps i provide an interface for clients to generate their permanent jwt tokens tokens
– Sourabh Swarnkar
Jan 3 at 10:21
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54011346%2fhow-can-i-make-sure-that-the-origin-of-the-request-to-my-server-is-legit%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
unfortunately you cant, as it can be faked easily. if you application requires top notch security then i suggest you look into AUTH tokens
answered Jan 2 at 18:38
Sourabh SwarnkarSourabh Swarnkar
58113
That was the first thing that I thought but this would require a manual process(I have to share the token with client manually to actually know that this the client that I want) this is why I started to look another ways but It seems I have no other choice but manual process. Thanks!
– Akil Demir
Jan 3 at 9:34
If auth looks too complicated then try sessionless JWT tokens. Its simpler then auth and effective. If your api calls is from some website then you can easily validate three things simultaneously i.e. Ip address of the server calling ur api, request origin, and domain name. All these details can be inserted in your jwt tokens. However if you api calls are through some mobile app then it becomes complicated to check.. In my current apps i provide an interface for clients to generate their permanent jwt tokens tokens
– Sourabh Swarnkar
Jan 3 at 10:21
add a comment |
unfortunately you cant, as it can be faked easily. if you application requires top notch security then i suggest you look into AUTH tokens
answered Jan 2 at 18:38
Sourabh SwarnkarSourabh Swarnkar
58113
That was the first thing that I thought but this would require a manual process(I have to share the token with client manually to actually know that this the client that I want) this is why I started to look another ways but It seems I have no other choice but manual process. Thanks!
– Akil Demir
Jan 3 at 9:34
If auth looks too complicated then try sessionless JWT tokens. Its simpler then auth and effective. If your api calls is from some website then you can easily validate three things simultaneously i.e. Ip address of the server calling ur api, request origin, and domain name. All these details can be inserted in your jwt tokens. However if you api calls are through some mobile app then it becomes complicated to check.. In my current apps i provide an interface for clients to generate their permanent jwt tokens tokens
– Sourabh Swarnkar
Jan 3 at 10:21
add a comment |
unfortunately you cant, as it can be faked easily. if you application requires top notch security then i suggest you look into AUTH tokens
answered Jan 2 at 18:38
Sourabh SwarnkarSourabh Swarnkar
58113
unfortunately you cant, as it can be faked easily. if you application requires top notch security then i suggest you look into AUTH tokens
answered Jan 2 at 18:38
Sourabh SwarnkarSourabh Swarnkar
58113
answered Jan 2 at 18:38
Sourabh SwarnkarSourabh Swarnkar
58113
answered Jan 2 at 18:38
Sourabh SwarnkarSourabh Swarnkar
58113
answered Jan 2 at 18:38
Sourabh SwarnkarSourabh Swarnkar
58113
58113
That was the first thing that I thought but this would require a manual process(I have to share the token with client manually to actually know that this the client that I want) this is why I started to look another ways but It seems I have no other choice but manual process. Thanks!
– Akil Demir
Jan 3 at 9:34
If auth looks too complicated then try sessionless JWT tokens. Its simpler then auth and effective. If your api calls is from some website then you can easily validate three things simultaneously i.e. Ip address of the server calling ur api, request origin, and domain name. All these details can be inserted in your jwt tokens. However if you api calls are through some mobile app then it becomes complicated to check.. In my current apps i provide an interface for clients to generate their permanent jwt tokens tokens
– Sourabh Swarnkar
Jan 3 at 10:21
add a comment |
That was the first thing that I thought but this would require a manual process(I have to share the token with client manually to actually know that this the client that I want) this is why I started to look another ways but It seems I have no other choice but manual process. Thanks!
– Akil Demir
Jan 3 at 9:34
If auth looks too complicated then try sessionless JWT tokens. Its simpler then auth and effective. If your api calls is from some website then you can easily validate three things simultaneously i.e. Ip address of the server calling ur api, request origin, and domain name. All these details can be inserted in your jwt tokens. However if you api calls are through some mobile app then it becomes complicated to check.. In my current apps i provide an interface for clients to generate their permanent jwt tokens tokens
– Sourabh Swarnkar
Jan 3 at 10:21
That was the first thing that I thought but this would require a manual process(I have to share the token with client manually to actually know that this the client that I want) this is why I started to look another ways but It seems I have no other choice but manual process. Thanks!
– Akil Demir
Jan 3 at 9:34
That was the first thing that I thought but this would require a manual process(I have to share the token with client manually to actually know that this the client that I want) this is why I started to look another ways but It seems I have no other choice but manual process. Thanks!
– Akil Demir
Jan 3 at 9:34
If auth looks too complicated then try sessionless JWT tokens. Its simpler then auth and effective. If your api calls is from some website then you can easily validate three things simultaneously i.e. Ip address of the server calling ur api, request origin, and domain name. All these details can be inserted in your jwt tokens. However if you api calls are through some mobile app then it becomes complicated to check.. In my current apps i provide an interface for clients to generate their permanent jwt tokens tokens
– Sourabh Swarnkar
Jan 3 at 10:21
If auth looks too complicated then try sessionless JWT tokens. Its simpler then auth and effective. If your api calls is from some website then you can easily validate three things simultaneously i.e. Ip address of the server calling ur api, request origin, and domain name. All these details can be inserted in your jwt tokens. However if you api calls are through some mobile app then it becomes complicated to check.. In my current apps i provide an interface for clients to generate their permanent jwt tokens tokens
– Sourabh Swarnkar
Jan 3 at 10:21
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54011346%2fhow-can-i-make-sure-that-the-origin-of-the-request-to-my-server-is-legit%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
