Prevent direct access to a php file that would be loaded in another server

Question

I have this file style.php that would be used as the main css styling of several domains. This style.php file will on be available on 'website 1' while the remaining website will load it from website 1.

For website 1.

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title> Website one </title>
    <link rel="stylesheet" href="style.php">
</head>
<body>


</body>

For website 2.

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title> Website one </title>
    <link rel="stylesheet" href="https://website1.com/style.php">
</head>
<body>


</body>

For website 3.

<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta http-equiv="X-UA-Compatible" content="ie=edge">
    <title> Website one </title>
    <link rel="stylesheet" href="https://website1.com/style.php">
</head>
<body>


</body>

So goes for several other websites.

Now this is want to I want to do, I don't want a direct access to style.php o the website 1. For example, if a user visit https://website1.com/style.php , he shouldn't have access to it.

Here is the problem, when I use .htaccess to deny access to it, website 2, and 3 won't be able to load the css.

Is there any possible tweak that I can make to the style.php so that when a user visits https://website1.com/style.php , he won't be able to access it but when it used as a styling sheet one website 2, and 3, it would load the css normally?

Answer 1

The short answer is "no".

The longer answer is that you have an incorrect mental model of what is currently happening. You are imagining that when you reference the stylesheet from website 2, the request is in some way "coming from" that website. What is actually happening is this:

1. The user asks their browser to load website 2
2. The browser sends a request to the server of website 2
3. The server returns some HTML to the browser, which includes the URL where the stylesheet should be loaded from on website 1
4. The browser decides it wants to load the stylesheet, so sends a request to the server of website 1
5. The server of website 1 returns the styles
6. The browser applies the styles to its display of website 2

At no point do your two servers talk to each other; they are always receiving requests from, and sending responses to, the browser. If the server refuses the request at step 5, the browser will never know what the stylesheet contained, so will just render the page without those styles.

With this in mind, we can re-cast the question:

Can I determine why a browser is requesting a URL, to distinguish between a user typing the URL into the address bar from the stylesheet being used on one of my sites.

The answer is maybe : there is an HTTP header that browsers can send called "REFERER" (yes, that's a typo for "referrer", but one that happened so long ago it became standard), which gives the URL the request "came from" in some sense. For a directly typed URL, it will always be blank; for a stylesheet URL, it will probably be the containing page. You can access it in PHP as $_SERVER['HTTP_REFERER'] , or in an Apache configuration by putting RewriteCond %{HTTP_REFERER} some-pattern-to-match in front of a RewriteRule .

However , browsers have recently become stricter about passing referrer information between domains, for privacy reasons, so it may be blank in your case.

It's also really important to note that everything in the request is under full control of the user, and everything in the response is fully visible to the user . It's trivial to send a request with a fake REFERER header once you figure out that's what's needed. It's even more trivial to look at the stylesheet while you're on the site that uses it - in most browsers, pressing F12 will pop up "developer tools" where you can see everything the server sent.

So if you're hoping to keep the styles in some way "secret", you're out of luck; the user needs to be able to see the styles for their browser to use them.