user1626498
Reputation: 139
validate HTTP requests with header "origin"
- I have a REST API in https://domain1.com
- I want to accept requests only from https://domain2.com
Question, Can I rely on the "origin" header to accept request only from https://domain2.com?
Note that Both websites are secured with SSL
It would be something like this:
$headers = getallheaders();
if($headers['origin'] != 'https://domain2.com'){
return FALSE;
}
Upvotes: 2
Views: 1915
Answers (1)
kicken
Reputation: 2167
Relying on the Origin header would be similar to relying on a Cookie. A well-behaved client (such as a browser) will send it with the correct value. An attacker would simply spoof it to whatever value they need to get your service to work.
You can use it as a way to prevent someone from using your API on their site directly from the browser. You cannot use it to prevent someone from using your API via a proxy or accessing it directly to download data.
Upvotes: 4
Related Questions
- HTTP GET with request body
- How to use java.net.URLConnection to fire and handle HTTP requests
- Access-Control-Allow-Origin Multiple Origin Domains?
- Android 8: Cleartext HTTP traffic not permitted
- "Cross origin requests are only supported for HTTP." error when loading a local file
- What is the difference between POST and PUT in HTTP?
- HTTP status code for update and delete?
- How are parameters sent in an HTTP POST request?
- Response to preflight request doesn't pass access control check - No 'Access-Control-Allow-Origin' header
- Custom HTTP headers : naming conventions