Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is a safe way of knowing the referer/referrer in an HTTP request?

Tags:

javascript

http

node.js

cross-domain

I am using nodejs to write an image upload service. Paying clients will be able to send an image file to my endpoint that I have set up on my server. However, when every request comes in, I need to confirm that it is actually a paying client making the request. I thought about having the client give me their domain name and I would just check the referer header. However, someone could easily spoof the referer header and use my service without paying. How do SaaS developers face this technical problem? Is it possible to fix this without requiring my clients to have some server side code?

like image 268
justspamjustin Avatar asked Jul 29 '12 00:07

justspamjustin

2 Answers

Are you building an external image hosting service for websites or is it to share something that HAS to be private and SECURE? If it is the former then read ahead.

Of course, the header can be spoofed. Here's why you should not worry about it:

  1. Alternative is ugly: To build a secure provisioning service, you will have to develop some kind of token system that the website owner implements at his end as well. Chances are, he would not sign up with you because there are simpler alternatives available.

  2. Spoofing will have to be done on client side. Very few "users" will actually do this. Two geeks spoofing headers on their own machine will not make a big difference to you. If they write some proxy or middle ware that does this work automatically and many people start using it, it could be a problem. However this is not very likely.

Guess you already know, but since you haven't mentioned - it is called Hotlinking. Google this topic to find more resources.

like image 55
Dojo Avatar answered Oct 28 '22 15:10

Dojo

You cannot authenticate a browser with a referrer header.

If you want to authenticate an individual, then you will likely need a login system that they provide credentials to (username/pwd) and you check those against your allowed user base. If they pass, then you set a certain type of cookie in the browser that indicates they are a legit user. Subsequent requests from this user will contain that cookie which you can check on every request.

The cookie needs to be something that you create that you can verify that cannot easily be guessed or forged (like a session or an encrypted token from your server). You would typically set an expiration on the cookie after some time period of time so that the user has to login again.

like image 43
jfriend00 Avatar answered Oct 28 '22 17:10

jfriend00
Sign in to Comment

Related questions

Controlling SVG's SMIL with JavaScript
Mark areas over an image with javascript
Does Chrome stop certain javascript code from running because of its extensions?
How to change h:outputText value by JavaScript?
Firefox struggling about d3.js svg library?
How to get file size from clientside without using activex in javascript?
chrome extension force mouse move
jquery ajax post canceled
how to get multiple file input from a single input
Starting marquee on audio play
Get cover art from mp3 files through PHP and display it
How to run an async function for each line of a very large (> 1GB) file in Node.js
Ajax-intensive page: reuse the same XMLHttpRequest object or create new one every time?
JOGL Applets versus WebGL
How do I access elements across frames?
Javascript Type Error, is not a function
Is there a modern sessionStorage alternative that works across subdomains?
How to write Native Erlang list functions in CouchDB
How to use javascript to get html special characters in text input
Will Search Engines grab javascript generated keyword and description meta tags? [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!