I've heard that HTTP_REFERER can be tricked. I have 2 sites, the first first contact is second, and the other To confirm that the request is already requested, uses the HTTP_REFERER.
If I received a fake request from my first site on the second site and I know that this request was not made, what should I do? One-third of the website is http_ref spoofing for all its users, or is someone cheating on their browser settings? I want to know whether the http_ref client / browser itself has been set / spoofed by or from the website?
This is information sent by the customer, it is usually set as that page, On which you clicked the link.
This can also be absolutely deceived. You can do it yourself by setting the header in the PHP kernel request
curl_setopt ($ ch, CURLOPT_HTTPHEADER, array ('host: www.google.com', 'referrer: http: // Google.com/ ',' Fakeheader: this isfekbootiwilbsecenavewe ')); The recipient will appear in the server header, even if it has never been sent from google.com. You can cheat on everything that you see in the header (user agent, cookies etc.).
You will have a hard time finding spoofed headers, unless you know how each one should look from each source. The best part is that you can work with IPs and limit the type of header type (for example, if a page can only use the GET request, then you can reject all post requests. ) Even if someone wants to deceive you, it is likely that they will do and you will not know it.
If you are trying to secure a connection between your 2 sites, then you should restrict the connection with more than just a header, which is not secure at all.
EDIT: You can actually send fake headers. I have updated this example of what I am saying. Some sites use custom (eg fake one) headers to authenticate
Comments
Post a Comment