如何在php中获取http请求源

Question

I want to create an API, and to authenticate API consumers, I will provide an API KEY, App-id and App-Secret. The problem is that I want to know where the http Request is coming from, so that I can know if the Host that is making que request is the registered Host. For example : www.someone.com has an app-id :0001, app-secret:1200 and api-key:458. If this credentials are used to make A request, I want to know if the requester is really www.someone.com

Answer 1

Generally, this header should do the job. Having the domain name in this header

header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN'] . "");
// use domain name instead of $_SERVER['HTTP_ORIGIN'] above

but if you want to check for more info, use something like the following snippet

$allowed = array('domain1', 'domain2', 'domain3'); 

if(isset($_SERVER['HTTP_ORIGIN']) && in_array($_SERVER['HTTP_ORIGIN'], $allowed)){
    // SELECT credentials for this user account from database
    if(isset($_GET['api_key'], $_GET['app_secret'])
        && $_GET['api_key'] == 'api_key_from_db' 
        && $_GET['app_secret'] == 'app_secret_from_db'
    ){
        // all fine
    }else{
        // not allowed
    }
}else{
    // not allowed
}

If the users have to pass more data to your service, use POST instead of GET

Answer 2

Laravel 5 ：在请求方法控制器中：

$origin = request()->headers->get('origin');

Answer 3

Use $_SERVER['HTTP_REFERER'] . It is the address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature.

For further restrictions you can perform the following. example.com should be changed to your domain.

IIS set below in web config :

add name="Access-Control-Allow-Origin" value="http://www.example.com"

Apache set below in httpd.conf/apache.conf

Header add Access-Control-Allow-Origin "http://www.example.com"

Answer 4

Technically neither origin nor referer are required HTTP headers, all of these answers are based on specific browser headers sent, and basing your system on different behaviors of clients is a bad idea.

The correct answer is you can't reliably get the client origin on every request because it isn't required as part of the HTTP specification.

Answer 5

Using a var_dump you can see all that the request has to offer.

var_dump($_REQUEST);

Do a var_dump on the server global as well. It contains alot of usefull information.

var_dump($_SERVER);

Answer 6

I think what you mean is that you want to access the "Origin" header in the request headers (as opposed to setting it in the response headers).

For this the easiest way is to access the built in getallheaders() function - which is an alias for apache_request_headers () - NB this is assuming you are using php as a module.

This returns an array so the Origin header should be available like this:

$request_headers = getallheaders();
$origin = $request_headers['Origin'];

If you are using php via something like fastcgi then I believe it would be made available in the environment - usually capitalised and prefixed by "HTTP_" so it should be $_SERVER['HTTP_ORIGIN'] .

Hope that helps anyone else looking for this :)

Answer 7

in laravel 7 this worked for me

request()->headers->get('referer');