I'm trying to only allow certain IPs to use a PHP resource, I've tried using the server referer, but I've sadly experienced that it can be easily spoofed, as its a client header and it can be easily modified.
I want the resource to be accessible from a website, but the IP from the client visiting the website is not the same IP from the one the website has. This means that the client shouldn't be able to access the resource directly via the browser or curl, but it should be allowed if done via a website.
I guess I can use some of these $server keys:
'HTTP_CLIENT_IP','HTTP_X_FORWARDED_FOR','HTTP_X_FORWARDED','HTTP_FORWARDED_FOR','HTTP_FORWARDED','REMOTE_ADDR'
But I have no idea which one to use in order to get the website IP to see if it matches with the expected and which one returns the IP of the client.
What I've tried, but doesnt work because it can be spoofed
public function getHost()
{
$url = parse_url($_SERVER['HTTP_REFERER']);
if ($url != null) {
return gethostbyname($url["host"]); // returns referer IP's
}
}
its clear the getHost() should return a key from the mentioned above, but I'm not sure which one.
Thank you in advance
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.