How to ensure the HTTP_REQUEST Is coming from the right place?

Question

I learn that HTTP_REFERER or any HTTP request header can be fake and not reliable.

REMOTE_ADDR is reliable though.

so, how can I ensure the incoming HTTP_REQUEST call is coming from a website that I white-list?

For example, I have a js code that will send from client site to server. (something like a sniper, cross platform). however, I only allow this happen from several websites. Not others. so, even other people copy the code and put onto their website, it won't work.

Answer 1

Haven't used this in practice, so there might be practicality issues I wasn't counting on, but thought I'd contribute the idea anyway. If I interpret correctly, this is similar to (if not the same as) the idea @Seldaek posted.

1. Your Server generates a unique ID for each page-serve and embeds the ID in the page.
2. Server stores the ID and the Client's IP address.
3. The js on the client places the ID in its request to the Server and sends the request.
4. When the Server receives the js request from the Client, it only responds if the IP/ID pair matches one that is on-file (see #2).
5. After some specified time (and/or when the browser session ends), the ID/IP entries expire.

This could perhaps be faked if a person sharing the visitor's IP address (perhaps both are behind the same NAT box) hijacks another visitor's session in real-time, but it will at least prevent someone from making another web page which piggybacks on your server's service.

There could also be issues if, for some reason, your visitor's IP address changes between when the page was served and when the js request was sent.

Basically, your server is saying "I will not service your js request unless you possess the data from a page I recently served and you are coming from (to the best of my knowledge) the place to which I served that page."

Answer 2

so, how can I ensure the incoming HTTP_REQUEST call is coming from a website that I white-list?

I think if you sign every request(from whitelist) which is valid for that request only(once). I assume using uniqid for this is safe(enough?).

Answer 3

The only way to do this reliably is to have all those several websites generate unique tokens for every users, similarly as how you protect yourself from CSRF attacks. The tokens would then be sent along with the request by your script, and your server would need to have a way to check the token for authenticity against the other websites. Needless to say this is very likely impossible unless you control all sites.

See also this question on HTTP_REFERER

Answer 4

As @Billy says this simply isn't possible, you're thinking about the internets' request response mechanism incorrectly.

For example, I have a js code that will send from client site to server. (something like a sniper, cross platform).

I assume what you're saying is that you have some javascript code served up on some website on your 'whitelist' which redirects the user to your website. Its on your website that you want to check that the user came from the 'whitelisted' site?

Aside from setting a cookie (might not be possible - cross domains) you might find it tough. Have you taken a look at OpenID? If you can post more details a solution may be more obvious.

Answer 5

All http headers can be faked.

If you are just accepting communication from the remote server (and not having a client browser be redirected to your server) then you can either set up a VPN between that remote server and yours or you can change your firewall config to only allow communication from a specific set of IP addresses. However, even the later can be faked by people willing to go that far.

If the client browser is the one either being redirected to your server or loading the file(s) from your server then there is absolutely nothing you can do.

Answer 6

In the general case you simply can't do it. You are entirely at the mercy of the client. You can make it more difficult by checking the referrer, but not impossible.