CODEWITHSUNDEEP
phpajaxapicross-domain
darki73
darki73

Reputation: 1127

Is it possible to protect API with these methods?

So far, i've tried to make something like:

  1. Check users IP address and Host
  2. If both match allowed Host & IP, allow access
  3. If no, display error

I'm building API, and so far, all requests are coming from only my host. And here is the problem:

  1. How to allow these requests be executed only if they are coming from local host (there are few that should only be executed by specified host, rest of methods should be available to public)
  2. How to prevent people from spoofing referer and x-forwarded
  3. Is it even possible?

Here are some bits of code:

Set Access Origin Header

if(isset($_SERVER['HTTP_REFERER'])) {
        $refererProtocol = str_replace(':', '', substr($_SERVER['HTTP_REFERER'], 0, strpos($_SERVER['HTTP_REFERER'], "/")));
        $refererHost = str_replace($refererProtocol . '://', '', $_SERVER['HTTP_REFERER']);
        $ACAO = $refererProtocol . '://' . substr($refererHost, 0, strpos($refererHost, "/"));
        $this->accessControl = [
            'allow_origin'  =>  $ACAO,
            'from_referer'  =>  true
        ];
        header("Access-Control-Allow-Origin: " . $ACAO);
    } else {
        $this->accessControl = [
            'allow_origin'  =>  'https://' . $_SERVER['HTTP_HOST'],
            'from_referer'  =>  false
        ];
        header("Access-Control-Allow-Origin: " . 'https://' . $_SERVER['HTTP_HOST']);
    }

Check Request Origin

$localHost = 'https://' . $_SERVER['SERVER_NAME'];

    if ($this->accessControl['allow_origin'] === $localHost || $this->accessControl['allow_origin'] === $this->Settings['allow_host']) {
        if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
            $this->JSON->apiError(403, 'You are not allowed to execute this method', ['MyAPI', 'onlyLocalHost']);
            return false;
        } else {
            if ($this->Settings['allow_ip'] === $_SERVER['REMOTE_ADDR']) {
                return true;
            } else {
                $this->JSON->apiError(403, 'You are not allowed to execute this method', ['MyAPI', 'onlyLocalHost']);
                return false;
            }
        }
    } else {
        $this->JSON->apiError(403, 'You are not allowed to execute this method', ['MyAPI', 'onlyLocalHost']);
        return false;
    }

And everything could've been perfect, except one thing: im running CloudFlare and obviously i cannot check for REMOTE_ADDR anymore.

So, is there any possible solutions to this problem?

Upvotes: 1

Views: 146

Answers (1)

Sasa Jovanovic
Sasa Jovanovic

Reputation: 334

Cloudflare sent few variables

$_SERVER["HTTP_CF_CONNECTING_IP"] To provide the client (visitor) IP address.

$_SERVER["HTTP_CF_IPCOUNTRY"] To provide country of visitor.

$_SERVER["HTTP_CF_VISITOR"] Show the scheme used to connect - HTTP or HTTPS.

$_SERVER["HTTP_CF_RAY"] The CF-Ray header is passed on which includes a hash appended with the datacenter the request came through.

Also you can use $_SERVER['HTTP_X_FORWARDED_FOR'] This is a well-established HTTP header used by proxies, including CloudFlare, to pass along other IP addresses in the request.

More https://support.cloudflare.com/hc/en-us/articles/200170986

Upvotes: 2

Related Questions