Reputation:
PHP - Source (hostname) of a GET request
I have a Javascript widget that people can embed on their site.
I want to use a simple cross domain get request to pull in a hash.
However I need my PHP script to only allow this cross domain request from a series of domains I have stored in an array.
What can I do in my PHP script (not in .htaccessor iptables) to find out the source (hostname) of the get request?
Upvotes: 6
Views: 15242
Answers (3)
Reputation: 400912
Considering the client (user's browser) can send you whatever it wants, I would say there is no way to be sure which website your script is called from :
- As you want to know the URL of the website embedding your widget, and not the address of the user,
$_SERVER['REMOTE_HOST']will not help $_SERVER['HTTP_REFERER']could seem OK, but actually is not :- The client doesn't have to send it (and it doesn't always do)
- As it is sent by the client, it can be forged / faked Quite easily
So, I'd say there is no real solution to this problem, at least on your server's side (If I'm wrong, I'm interested to know !)
But maybe you can do something on the client's side : when writing all this, I thought about google maps, and it's system of API Key :
- you have an (unique) API key four your domain
- When you load the JS scripts from google, your send this key
- if the key is not registered for the domain on which you are trying to display the map, there is an
alertmessage, saying "The Google Maps API server rejected your request. This could be because the API key used on this site was registered for a different web site."- but the map seems to be displayed anyway -- at least on my test server
- this
alertis really anoying for the end-user, and I don't think anyone would want an alert displayed on their site because they are using your service withot authorisation...
Maybe you can have a look at how this is done for google maps :-)
Upvotes: 3
Reputation: 3208
If the requests are coming from JavaScript, you could check the HTTP referrer header ($_SERVER['HTTP_REFERER']). However, it's optional - some proxies or security programs strip the referrer header out of HTTP requests.
Upvotes: 1
Reputation: 55720
You could use the $_SERVER variable. In particular the $_SERVER['REMOTE_HOST'] but see below for caveat:
However, your web server must be configured to create this variable. For example in Apache you'll need HostnameLookups On inside httpd.conf for it to exist. See also gethostbyaddr().
Upvotes: 1
Related Questions
- Get client's domain name using php
- How to get http request origin in php
- PHP - Ensure GET request is from specific domain
- How to get real host or server name in PHP
- PHP cURL get requesting host
- How to get the requested uri
- Get request host in PHP
- Obtaining PHP Remote Address Info from URL
- PHP: how to get the host for an ajax request?
- Getting hostname or IP address of server in PHP