Authenticating referer site using HTTP_REFERER and IP address

Question

I have a web service (which returns data) which is accessible only to a few "whitelisted" remote servers. So when a remote server sends a request to my server, I would check the $_SERVER['HTTP_REFERER'] field for the whitelisted domain name and the corresponding IP address (which was known to my web-service through a global array). Can this method of whitelisting requests be bypassed? I know it is easy to implement referer spoofing....but do keep in mind that I am checking both the referer and the corresponding IP address both of which are known to my app with certainty.

If this is NOT a safe thing to do, does anyone have an alternate method of allowing only "whitelisted" domains to access a given web service?

Answer 1

I do not believe checking the Referer HTTP header in addition to the originating IP address yields any security benefits at all. Having said this, IP-based auth itself isn't the safest practice. If you really want to protect your API, better look into SSL and some form of HTTP authentication.

Answer 2

As commented, I'm not sure why an HTTP Referer header would be set in the first place in your scenario, but let's assume it is and its domain corresponds to the IP of the client. The Referer header is an arbitrary value sent by the client, it's trivially spoofed. The client's IP OTOH is not spoofable (excluding elaborate network level attacks which require the attacker to basically already have compromised one side or the other). What you're asking is whether it makes sense to use an insecure, meaningless value to confirm a value which is already as secure as you can get. And the answer is No. Just stick to the IP filter, that's already good enough.

If you want to strengthen authentication further, use a proper authentication scheme in which you share a secret with your clients (username/password, API token, Oauth or similar).