Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I tell a curl request vs browser request

I have a webserver, and certain users have been retrieving my images using an automated script.I wish to redirect them to a error page or give them an invalid image only if it's a CURL request.

my image resides in http://example.com/images/AIDd232320233.png, is there someway I can route it with .htaccess to my controller index function to where I can check if it's an authentic request?

and my other question, how can I check browser headers to distinguish between most likely authentic ones and ones done with a cURL request?

like image 321
Edward Avatar asked Oct 25 '14 02:10

Edward


People also ask

How is cURL different from browser?

Curl is designed to work without user interaction, so unlike Firefox, you must think about your interaction with online data from start to finish. For instance, if you want to view a web page in Firefox, you launch a Firefox window.

How do you tell if a request came from a browser?

There is absolutely no way to know with certainty if a request came from a browser or something else making an HTTP request. The HTTP protocol allows for the client to set the User Agent arbitrarily.

How do I check my browser cURL request?

cURL makes HTTP requests just like a web browser. To request a web page from the command line, type curl followed by the site's URL: The web server's response is displayed directly in your command-line interface. If you requested an HTML page, you get the page source -- which is what a browser normally sees.

What is the difference between cURL and HTTP request?

Curl is bundled with PHP, HTTPRequest is a separate PECL extension. As such, it's much more likely that CURL will be installed on your target platform, which is pretty much the deciding factor for most projects.


1 Answers

Unfortunately, the short answer is 'no.'

cURL provides all of the necessary options to "spoof" any browser. That is to say, more specifically, browsers identify themselves via specific header information, and cURL provides all of the tools to set header data in whatever manner you choose. So, directly distinguishing two requests from one another is not possible.*

*Without more information. Common methods to determine if there is a Live Human initiating the traffic are to set cookies during previous steps (attempts to ensure that the request is a natural byproduct of a user being on your website), or using a Captcha and a cookie (validate someone can pass a test).

The simplest is to set a cookie, which will really only ensure that bad programmers don't get through, or programmers who don't want to spend the time to tailor their scraper to your site.

The more tried and true approach is a Captcha, as it requires the user to interact to prove they have blood in their veins.

If the image is not a "download" but more of a piece of a greater whole (say, just an image on your site), a Captcha could be used to validate a human before giving them access to the site as a whole. Or if it is a download, it would be presented before unlocking the download.

Unfortunately, Captchas are are "a pain," both to set up, and for the end-user. They don't make a whole lot of sense for general-purpose access, they are a little overboard.

For general-purpose stuff, you can really only throttle IPs, download limits and the like. And even there, you have nothing you can do if the requests are distributed. Them's the breaks, really...

like image 74
Mike Avatar answered Sep 18 '22 17:09

Mike