I need to make sure a request comes from a user submitting a form on the website rather than an automated POST request.
I could use
- HTTP_REFERRER – but this is not reliable
- hidden input field with random value from session – but what’s to stop a spammer from going to my form, getting the value from the hidden field, and pasting it into his “program” as part of his automated request?
Any other options?
You could use an HMAC approach whereby you hash the first couple of bits of the POST payload using a hashing algorithm secured by a secret key known only between your php library and your backend. Store the calculated hash in the http headers, not as part of the form payload. All you need to do then is validate the data being submitted server-side by calculating the hash value using the secret key and if the hash value doesn’t check out, you know it’s a bogus submission. See this for details.
Also, basic cookie security parameters like
HttpOnlyinstructs browsers to not permit access to your set cookies via scripts in transit (VBScript, JavaScript etc) so your tokens could be a little bit more secure in transit.