Is it possible for PHP to obtain the certificate of the request, and in particular the website name on the certificate and the CA?
I want to check that a call to my PHP file can only be made from my website via an AJAX call. Like this:
- User logs onto my website and then uses https for subsequent interaction
- User loads a page
https:// domain/mypage.php https:// domain/mypage.phphas an AJAX call tohttps:// domain/getinfo.php
in getinfo.php I want to check the certificate details of the request to ensure that the request was made from my website, i.e. not from a direct hit on the URL, or using a scraping tool.
Possible?
You mean you want to ensure that calls to your
getinfo.phporiginate from a client that is visiting your website? That’s kind of an important distinction. “Your site” doesn’t originate requests, the client visiting the site is. And whether or not the client still has your site open when it’s sending the request is impossible to detect, each request looks exactly like any other.You could require the client to send a token in the request which he must have gotten when opening your site. Typically that’s a cookie and/or session id. Without a valid cookie/session, you won’t answer the client.
That still makes it perfectly possible to scrape the data without actually opening your page, just make one request to get the cookie and another to get the data.
For all intents and purposes, if the API/site is public, so is the data. If you really want to protect it, you’ll have to require user authentication and be careful who you’re giving those accounts to. That also enables auditing and possible banning of users which appear to scrape your data.