Menu
Is there any way by which i could know exactly which server a POST request has originated from ?
I'm trying to implement a method wherein i could check that a specific request has originated from my website, and hence this will help me keep my website secure
Thanks
523
It sounds like you are trying to implement Cross Site Request Forgery protection, in which you need to make sure the request originated from HTML delivered from your web server. Do not rely on the referer header for this as it is often stripped in firewalls, and can be manipulated.
See OWASP for some good sources on how to implement this kind of protection. Basically it goes like this:
Generate a secure random value and stick it on the user's session
For every HTML form, include this value as a hidden value ()
Whenever a POST request comes back to your server, check that the value from the hidden field, is the same as the one in the user's session. Reject the request if it isn't.
Because the alue is unique per user, an attacker could not simply forge a form with prepopulated values, and trick the user into automatically posting it with javascript. The request would be rejected as the attacker would not know which value to include for the hidden field in his forged form.
165
Take a look at this:
http://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
