How to Check If a Request If Coming from the Same Server or Different Server

How to check if a request if coming from the same server or different server?

Basically : you cannot.

With the HTTP protocol, each request is independent from the others.

A first idea would be to check the Referer HTTP header, but note that :

• It can be faked (it's sent by the browser)
• It is not always present.

So : not a reliable solution.

A possible, and far better than the Referer idea, solution could be to use a nonce :

• When displaying the form, put a hidden input field in it, containing a random value
• At the same time, store that random value into the session that correspond to the user.
• When the form is submitted, check that the hidden field has the same value as the one that's stored in session.

If those two values are not the same, refuse to use the submitted data.

Note : this idea is often used to help fight against CSRF -- and integrated in the "Form" component of some Frameworks (Zend Framework, for instance).

Can we ever determine if the request was sent from another domain?

So basically my question is how do we determine for certain that the request was sent from our own domain? Or is there no way at all?

You are asking the impossible. There is no way to know for certain that a submit button on a page on your domain generated the request.

You say it's not about CSRF, so I don't know why you are concerned. But the solutions are the same.

1. Check the HTTP_REFERER header anyway. If it isn't your domain, then reject the request. You'll probably need to accept missing headers though since some people disable it. This doesn't prevent people who mess with their browser settings from spoofing the value though. But it does prevent people who are tricked into submitting the form from another site (assuming they haven't disabled HTTP_REFERER).

2. Use a "nonce" or temporary token that is only valid for one request. Hence, the person who submits the request must visit your website at least once per request. This is basically the same thing as ensuring that the request originated from your website. You can also tie a nonce to an IP address or session to prevent people from querying your site and relying the token along to another computer.

How to check if my PHP script is being called from my own domain/server?

you can use HTTP_REFERER to restrict hotlinking

add this on your php

Simple example:

strstr($_SERVER['HTTP_REFERER'], 'ppyazi.com') or exit('denied');
// ... some codes that renders image
// e.g
// header('Content-Type: image/png');
// echo file_get_contents('image_file.png');

Complex example:

/**
 * Returns boolean (true/false)
 * @param  string $sHostName Provide hostname
 * @return bool
 */
function isHost($sHostName) {
    return strstr($_SERVER['HTTP_REFERER'], $sHostName);
}

if (isHost('ppyazi.com') === true) {
    // do something you want if your domain is on ppyazi.com
} else {
    // remove something you want if you are out of ppyazi.com
}

how to verify the requesting server in php?

There are many ways this could be implemented.

This easiest way is to check the $_SERVER['HTTP_REFERER'] to see if it matches, although this is not 100% reliable, and is not true security.

A second method would be to use PHP's session functionality. This would require that the two servers use a shared session tracking area though, which is a much more advanced server setup.

A third method would be to use a shared MySQL server that both can access to verify requests. This will introduce latency, which may slow down the request a bit.

A fourth method would be to use a call back to the originating server to verify it did make the request. Server2 makes the request to Server1, then Server1 contacts Server2 and asks if the request it just received actually came from it.

A fifth method is to sign your request using a private/public key pair. This way you can verify for sure that the request came specifically from the server it claims it is.

Which request params can be used to tell if a request is coming from Postman vs NodeJS server?

I'll answer this myself, for anyone who comes here searching for answers. Apparently, Postman uses some magic configuration to make requests from the browser while bypassing CORS issues.

They call it the "Postman Agent". It seems like it's probably a local proxy in front of a headless browser with CORS turned off (or something along those lines).

You can read about it here: https://blog.postman.com/introducing-the-postman-agent-send-api-requests-from-your-browser-without-limits/

In my case, the issue wasn't caused by a difference between the requests. It was caused by the way the responses were handled. Postman was showing cookies received in an initial 302 response, and then following the redirect. The NodeJS request was following the redirect but not showing the initial 'set-cookie' header in the final response. As soon as I set redirect: 'manual' in nodejs, I could see the correct headers from the initial 302 response.

WCF how to detect if client and server are in same server

In my humble opinion, the easiest and safest way to make some methods to be invoked only locally is to use NetNamedPipeBinding.

So I would take all the "local" methods and put them in a separate interface.
And I would expose that interface with NetNamedPipeBinding.

Edit
You can expose different interfaces on the same service.

Each interface can have its own binding.

Edit 2 - code samples

In the two following samples, here is the service class exposing two interfaces

class ServiceHelloWorld : IPublicInterface, ILocalInterface

1. Many endpoints can be exposed through xml
These aren't the same interfaces. :

<services>
  <service name="HelloWorldService.ServiceHelloWorld">
    <endpoint address="net.tcp://localhost:7000/publicinterface" 
      binding="netTcpBinding" contract="IPublicInterface">
    <endpoint address="net.pipe://localhost:8000/privateinterface" 
      binding="netNamedBinding" contract="ILocalInterface">
  </service>
</services>

2. Many endpoints can be exposed through code

These aren't the same interfaces no more.

ServiceHost host =
   new ServiceHost(typeof(ServiceHelloWorld), new Uri[] { });
host.AddServiceEndpoint(typeof(IPublicInterface), 
   new NetTcpBinding(), "net.tcp://localhost:7000/publicinterface");
host.AddServiceEndpoint(typeof(ILocalInterface), 
   new NetNamedPipeBinding(), "net.pipe://localhost:8000/privateinterface");

Regards

---

Related Topics