Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is a safe way of knowing the referer/referrer in an HTTP request?

I am using nodejs to write an image upload service. Paying clients will be able to send an image file to my endpoint that I have set up on my server. However, when every request comes in, I need to confirm that it is actually a paying client making the request. I thought about having the client give me their domain name and I would just check the referer header. However, someone could easily spoof the referer header and use my service without paying. How do SaaS developers face this technical problem? Is it possible to fix this without requiring my clients to have some server side code?

like image 268
justspamjustin Avatar asked Jul 29 '12 00:07

justspamjustin


2 Answers

Are you building an external image hosting service for websites or is it to share something that HAS to be private and SECURE? If it is the former then read ahead.

Of course, the header can be spoofed. Here's why you should not worry about it:

  1. Alternative is ugly: To build a secure provisioning service, you will have to develop some kind of token system that the website owner implements at his end as well. Chances are, he would not sign up with you because there are simpler alternatives available.

  2. Spoofing will have to be done on client side. Very few "users" will actually do this. Two geeks spoofing headers on their own machine will not make a big difference to you. If they write some proxy or middle ware that does this work automatically and many people start using it, it could be a problem. However this is not very likely.

Guess you already know, but since you haven't mentioned - it is called Hotlinking. Google this topic to find more resources.

like image 55
Dojo Avatar answered Oct 28 '22 15:10

Dojo


You cannot authenticate a browser with a referrer header.

If you want to authenticate an individual, then you will likely need a login system that they provide credentials to (username/pwd) and you check those against your allowed user base. If they pass, then you set a certain type of cookie in the browser that indicates they are a legit user. Subsequent requests from this user will contain that cookie which you can check on every request.

The cookie needs to be something that you create that you can verify that cannot easily be guessed or forged (like a session or an encrypted token from your server). You would typically set an expiration on the cookie after some time period of time so that the user has to login again.

like image 43
jfriend00 Avatar answered Oct 28 '22 17:10

jfriend00