Geek Answers Handbook

How to ensure that HTTP requests come from a specific location?

HTTP Referer is how I do it now. Since everyone who used this method knows that it is not 100% more accurate, because the Referer header is optional and may be messing with.

Looking at how-to-ensure-access-to-my-web-service-from-my-code-only I still don't know how to do this in a minimal way.

Situation:

Advertising on another site. Using iFrame, I can at my discretion change the content / function. I pay $ x.xx for every time the action is completed. Therefore, I need to make sure that the action is completed, from the place where I said that it can be completed.

What I'm trying to prevent:

some other webmaster along the way - β€œhey, good tool, let me put this on my site” Since I said at the top that I am doing atm, if the referent does not match, I will be redirected to the page with one and the same the same tool, however, any actions that were previously formed on this page, they will not cost me any money.

When trying to prevent the above, resolve the following:

I do not mind if the owner of the webmaster / site for which I pay in cash puts code on other sites for "actions completed" - obviously, this is good. Much more coverage, the site owner gets more cash, and I get more actions done, which gives me more money.

Question

What can I do for the other side to do this, I know that all requests coming to my web page belong to the other side with which I have an agreement, and not some random one.

Thanks:)

info re app

the site of other parties has an iFrame. iFrame displays the html / js / php page that is on one of my domains. This page uses ajax requests to interact with the actual web service, which is the ruby ​​/ sinatra application. I have many different pages that fit into the look of the site of other parties.

So, I think some kind of chatter between servers of other parties, and my server would be a good idea. Then the result of this chatter will somehow be present during the iFrame request.

However, I'm not sure if the other party can set a cookie for the domain that will be served in the iFrame - in fact, I'm sure it cannot.

Now, to get around this limitation, I could include the script as part of the iFrame on the page that could set the cookie.

Well above ideas:

  • The OtherParty server sends a request to my server, receives a response.
  • displays a page with this answer as a parameter in <script src = "...? param"> </script>
  • my script sets a cookie
  • as a script before an iFrame, the script is loaded first
  • An iFrame download with a cookie page has been set on this cookie domain set prior to sending.
  • bingo, request confirmed

Does this sound normal?

btw my tool that I want the action to complete only works if JS is turned on like that ...

+4
source share
1 answer

If you really want to protect those who can load your iframe, then one of the ways to do this is through 2-legged OAuth (that is, your trusted partner will β€œsign” the iframe GET request). Your server can then provide access based on a cryptographically valid signature and a known signing side. You will need to enforce relatively short valid lifespan for signed requests so that someone else cannot just copy them and embed them on their own site.

It also gives you the advantage of simply making the initial exchange of offline keys without giving your partner additional requests on the server before inserting the iframe.

+3
source

More articles:


All Articles