stackoom
  简体   繁体   中英

Is it possible to fake the domain of the request came from?

 原文  2021-12-02 13:21:40       api/ rest/ http/ security

Question

There website that allow to restrict their API usage for certain domains - so they will receive and respect only requests coming from those domains.

How do they check the sender domain? Can it be faked?

2 answers

solution1
 0  2021-12-02 13:33:07

They can check the sender domain by validating the sender domain PubKey certificate attached to the sender HTTPS request, which should be signed by a CA to certify the sender domain. This should work based on the SSL-based encrypted network data traffic.

solution2
 0  2021-12-02 16:14:56

Another way to do it is to support TLS Mutual authentication at the server in which case the client will have to authenticate itself by presenting the appropriate TLS Client certificate which is issued to it by a mutually trusted certification authority.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do you verify an API request came from a certain domain? How to determine whether HTTP API request came from iPad Gather Client Domain from Rails API GET Request How to get JSON back from HTTP POST Request (to another domain) How can I fake a cookie in a web request that's generated dynamically? Is it possible for azure logic app to receive a file from incoming http request? Laravel external(from another domain) api request to check if the user is logged in a server (main server) Is it possible to fake progress on a mobile app if you managed to figure out the relevant API endpoints? Cross domain get request with jQuery using jsonp Nginx screen appering on first request to the domain
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM