Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best way to restrict a website to a single browser (user agent)?

Tags:

security

.htaccess

user-agent

client

So I'm in the process of building my own web-application type project. However, I only want the website to be viewable through a web client of mine. I have set the web client's user agent setting to a custom name (MySecretClient) and am now attempting to only allow access from browsers with the user agent, MySecretClient. Everyone else gets redirected.

Is there a better way to go about doing this?

like image 436
Justin Bush Avatar asked Jan 26 '26 18:01

Justin Bush

2 Answers

As with so many web technology questions, there is a strict, theoretical answer and a "good enough for what you probably want" answer: The strict answer is: You cant, it doesn't work that way. Since the client can send whatever user agent string it wants to, you have no way of knowing what client is actually behind any given request.

The "good enough" answer that will prevent the vast majority of users from seeing your site with the "wrong" user agent is documented here:

http://www.htaccesstools.com/articles/detect-and-redirect-iphone/

The relevant .htaccess block from the link, which redirects requests from iPhone user agents to an iPhone specific site is:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} iPhone
RewriteCond %{REQUEST_URI} !^/my-iPhone-site/ 
RewriteRule .* /my-iPhone-site/ [R]

Which you could modify in your case to redirect users with the wrong client:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !^MySecretClient$
RewriteRule .* <URL of a tropical island paradise> [R]

There is one other answer to what might be your intention in doing this. If this is part of your application's security strategy, it is a bad idea! This is what's known as "security through obscurity" and is a well-established anti-pattern that should be avoided. Any but the most casual attacker of your software will quickly realize what's going on, figure out what client your application is meant to run on, and spoof it.

like image 170
AmericanUmlaut Avatar answered Jan 28 '26 15:01

AmericanUmlaut

<?php

define('MY_USER_AGENT', 'Custom User Agent');
define('REDIRECT_LOCATION', 'http://www.google.com');

if ($_SERVER['HTTP_USER_AGENT'] !== MY_USER_AGENT) {
    header('Location: ' . REDIRECT_LOCATION);
    die();
}
like image 35
FelipeBarrosCruz Avatar answered Jan 28 '26 14:01

FelipeBarrosCruz

Sign in to Comment

Related questions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!