CODEWITHSUNDEEP
phpapachehttppostget
m_junior
m_junior

Reputation: 591

How to get http request origin in php

I want to create an API, and to authenticate API consumers, I will provide an API KEY, App-id and App-Secret. The problem is that I want to know where the http Request is coming from, so that I can know if the Host that is making que request is the registered Host. For example : www.someone.com has an app-id :0001, app-secret:1200 and api-key:458. If this credentials are used to make A request, I want to know if the requester is really www.someone.com

Upvotes: 26

Views: 88654

Answers (7)

slothstronaut
slothstronaut

Reputation: 1050

Technically neither origin nor referer are required HTTP headers, all of these answers are based on specific browser headers sent, and basing your system on different behaviors of clients is a bad idea.

The correct answer is you can't reliably get the client origin on every request because it isn't required as part of the HTTP specification.

Upvotes: 6

Ar0010r
Ar0010r

Reputation: 11

in laravel 7 this worked for me

request()->headers->get('referer');

Upvotes: 0

Kamil Kiełczewski
Kamil Kiełczewski

Reputation: 92347

Laravel 5: in request method controller:

$origin = request()->headers->get('origin');

Upvotes: 12

hex494D49
hex494D49

Reputation: 9225

Generally, this header should do the job. Having the domain name in this header

header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN'] . "");
// use domain name instead of $_SERVER['HTTP_ORIGIN'] above

but if you want to check for more info, use something like the following snippet

$allowed = array('domain1', 'domain2', 'domain3'); 

if(isset($_SERVER['HTTP_ORIGIN']) && in_array($_SERVER['HTTP_ORIGIN'], $allowed)){
    // SELECT credentials for this user account from database
    if(isset($_GET['api_key'], $_GET['app_secret'])
        && $_GET['api_key'] == 'api_key_from_db' 
        && $_GET['app_secret'] == 'app_secret_from_db'
    ){
        // all fine
    }else{
        // not allowed
    }
}else{
    // not allowed
}

If the users have to pass more data to your service, use POST instead of GET

Upvotes: 26

Sunit
Sunit

Reputation: 397

Use $_SERVER['HTTP_REFERER']. It is the address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature.

For further restrictions you can perform the following. example.com should be changed to your domain.

IIS set below in web config:

add name="Access-Control-Allow-Origin" value="http://www.example.com"

Apache set below in httpd.conf/apache.conf

Header add Access-Control-Allow-Origin "http://www.example.com"

Upvotes: 5

sensadrome
sensadrome

Reputation: 482

I think what you mean is that you want to access the "Origin" header in the request headers (as opposed to setting it in the response headers).

For this the easiest way is to access the built in getallheaders() function - which is an alias for apache_request_headers() - N.B. this is assuming you are using php as a module.

This returns an array so the Origin header should be available like this:

$request_headers = getallheaders();
$origin = $request_headers['Origin'];

If you are using php via something like fastcgi then I believe it would be made available in the environment - usually capitalised and prefixed by "HTTP_" so it should be $_SERVER['HTTP_ORIGIN'].

Hope that helps anyone else looking for this :)

Upvotes: 2

Peter
Peter

Reputation: 9113

Using a var_dump you can see all that the request has to offer.

var_dump($_REQUEST);

Do a var_dump on the server global as well. It contains alot of usefull information.

var_dump($_SERVER);

Upvotes: 4

Related Questions