Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is there any way by which i could know exactly which server a POST request has originated from ?
I’m trying to implement a method wherein i could check that a specific request has originated from my website, and hence this will help me keep my website secure
Thanks
It sounds like you are trying to implement Cross Site Request Forgery protection, in which you need to make sure the request originated from HTML delivered from your web server. Do not rely on the referer header for this as it is often stripped in firewalls, and can be manipulated.
See OWASP for some good sources on how to implement this kind of protection. Basically it goes like this:
Generate a secure random value and stick it on the user’s session
For every HTML form, include this value as a hidden value ()
Whenever a POST request comes back to your server, check that the value from the hidden field, is the same as the one in the user’s session. Reject the request if it isn’t.
Because the alue is unique per user, an attacker could not simply forge a form with prepopulated values, and trick the user into automatically posting it with javascript. The request would be rejected as the attacker would not know which value to include for the hidden field in his forged form.