I need to make sure that the request to the script comes from my server. I found $_SERVER['REQUEST_URI'] , but it only shows the relative path to the file itself (/order/order.php) . I use ajax script, maybe this is the problem?
How do I get the full path or how to make sure the request is from my server?
There is a Referrer header that shows where the request came from. The browser can not send this information, and then you can not find out.
If the browser has sent this information, then it lies in $ SERVER ['HTTP_REFERRER']
Information from the official PHP documentation :
The address of the page (if any) that led the user's browser to this page. This header is set by the user's web browser. Not all browsers install it and some, as an additional feature, allow you to change the content of the HTTP_REFERER header. In short, he really cannot be trusted.
If you want to make protection against requests forgery, you can add a non-guessable token, known only to your server, to each request. In this method, if the request comes without a suitable token, it will be denied access, usually it is used to protect against CSRF, which leads to the fact that a hacker can perform a lot of different actions on an unprepared site on behalf of other registered visitors.
You need to generate a csrf token to write it into the session and generate it in the field on the page. After you send the token in the request and compare in the backend if they are equal (the token from the session and the token coming from the page) then the request is sent exactly from your page.
Source: https://ru.stackoverflow.com/questions/552129/
All Articles