Get PHP page content only from specific server with Zend\Http\Client and Curl

Question

how can i secure the content of a php page to access it only with a curl request of a specific server? It should not be possible to get the content in a browser with a request like " https://cms.domain.com/home ", but if I create a Zend Client on a specific server it should be possible to get the content.

Is it possible to check the referer or something else?

$adapter = new Zend\Http\Client\Adapter\Curl();
$client = new Zend\Http\Client();
$client->setAdapter($adapter);

$client->setMethod(\Zend\Http\Request::METHOD_GET)
    ->setUri('https://cms.domain.com/home');

$response = $this->client->send();

Answer 1

It's not so simple because according to HTTP protocol request is by definition independent from other request.

HTTP_REFERER is simple to fake and not always present.

More information you can find under:

How to check if a request if coming from the same server or different server?

Answer 2

If you find a short way, I would then say no!

The one and only reliable solution is to use OAuth2 protocol to restrict your API https://cms.domain.com/home . Because Google, Facebook, Twitter use OAuth2 for their APIs.

Therefore, you need to create an RESTful application. A typical RESTful web service will use HTTP to do the four CRUD (Create, Retrieve, Update, and Delete) operations. Meaning you can operate those four operations to different endpoints of your api like https://cms.domain.com/v2/api/oauth , https://cms.domain.com/v2/api/etc for example.

As you are using Zend\\Http\\Client as a client to handle your api then yon need an server for authentication which is OAuth2 server. Here you can get OAuth2 Server Library for PHP by Brent Shaffer.

You can also use OAuth2 server from php league .

Another option is Zend Framework's Apigility which is very useful if you need to get an OAuth 2.0 API up and running. Check out their doc for the implementation please!

Answer 3

You can check User Agent on HTTP Request . Here the example of cURL User Agent: curl/7.37.0 .

So, you can check at onBootstrap(MvcEvent $mvcEvent) if the user agent not curl/* , the request will be rejected.

class Module
{
    public function onBootstrap(MvcEvent $event)
    {
        $headers = $event->getRequest()->getHeaders();
        $userAgent = $headers->get('User-Agent');
        if (is_null($userAgent) || preg_match("/^curl\/.*/", $userAgent->getFieldValue() !== 1) {
            $response = $this->getResponse();
            $response->setStatusCode(400);  // give bad request status
            $response->sendHeaders();
            $stopCallBack = function($mvcEvent) use ($response){
                $mvcEvent->stopPropagation();
                return $response;
            };
            //Attach the "break" as a listener with a high priority
            $event->getApplication()->getEventManager()->attach(MvcEvent::EVENT_ROUTE, $stopCallBack,-10000);
            return $response;
        }

    }
}

If you want, you can add some like security token to make restriction better.