How do I catch the request url / domain in my REST api?
Solution 1
In Internet every address could be faked (VPN, proxies etc). It's one of fundamental principles of the network.
You will never could detect with 100% warranty, so the maximum what You could have is $_SERVER['HTTP_REFERER']
and $_SERVER['REMOTE_ADDR']
.
You could make additional verification for it's existence before to save/process it, but it could cost some additional performance of Your server.
If Your aim is to provide some additional access rules to some methods / data, You should use an other verification mechanism (tokens, passwords etc).
Solution 2
print_r($_SERVER);
may be it'll useful for you
Solution 3
It sounds as though you're looking for the HTTP referer, accessible in PHP through $_SERVER['HTTP_REFERER']
.
Solution 4
As far as I know, there are no reliable ways to determinate the domain where a request comes from. Maybe you could check the client's IP address and/or the HTTP referer and match it to a set of domains,... but that wouldn't be 100% safe in my opinion.
How about implementing an (optional) parameter for your API calls, which has to be the domainname?
Solution 5
I ended up defining a key constant in an external php file that I will deliver to the client within the CMS. (Already have a bunch of constants anyway).
On the server side I put the key in the database and compare these keys on every request. This is not fool proof but I realized I could use the key for other functions aswell and so I implemented it anyway.
Using this combined with various other security checks I found it unnecessary to have to track the request domain. Thanks for the responses guys!
JeremyS
Young Web Developer finishing up a Bachelor in Computer Sciences in Belgium, EU.
Updated on June 16, 2022Comments
-
JeremyS almost 2 years
This may have a simple answer (and I hope it does) but looking online I only found examples of how to get the current URL/Domain. No where could I find how to get that of the incoming http requst.
My set up is a REST api that handles the typical GET/POST/DELETE/PUT requests. I have to return domain information for clients about the domain they're pulling from. Hence, if a client using my CMS clicks on info, he must receive info about the domain he is logged into (and thus sending the request from).
I chose not to add code here, seeing as my question pertains less to actual code as it does to methodology. Thanks in advance for any and all answers!