Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Suppose my webpage test.html is sending form data to webpage callback.html on same domain, how can I validate if form data is sent by test.html not by anybody else? Think test.html as trusted source for callback.html.
<form action="callback.html" methos="post">
<input type="hidden" id="abc" value="User is not authenticated"/>
</form>
The only secure way to ensure that a POST is coming from a trusted source is to make sure that the transaction involves some information that only your site knows. There are different ways to do this, but a simple one is to use the value of your session cookie as a form field value. Your server would then reject POST transactions that lacked that parameter.
If your transactions are not secure (https) then there’s not much point anyway.
edit — I’ll mention that an alternative, if your POST transactions are initiated with XHR, is to add a special “X-Something” header to the request.