Avatar of BR
Flag for Turkey asked on

blocking the posted data from outside of my domains

I use php,
I have a web page that I should not allow anybody posting data to my website except one specific web site.
How can I block all the posts coming from outside except one domain?

I want to allow a website to post my page an input but I need to block the rest of the world.

by the way, only the registered users can post  data to my page, however I need to be sure that the data posted to my website must come from that specific domain.

How can I do that?

Avatar of undefined
Last Comment
Ray Paseur

8/22/2022 - Mon
Ray Paseur

There are several tests you can use.  These or some combination of these will usually do the trick.

You can check the value in $_SERVER['HTTP_REFERER']

You can use an API key, or OAuth, or similar authentication "handshake."

You can add a CAPTCHA test to the posting script.

You can use PHP client authentication.

You can use some kind of a form token.

Dear Ray Paseur,
thanks to you, I know most of them. I used your login and registration article to create my page. I also used your form token article for my forms. And, Using an API key would be great, I'm sure.

I want to learn how I can block the users coming from outside of specific domain with $_SERVER['HTTP_REFERER']

can you give me an example?

I put a test page on my server and inside php code $_SERVER['HTTP_REFERER'] and it gives me only - ( a hypen )
Ray Paseur

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Dear Ray Paseur,
I tested the solution, it works perfectly.
Thank you so much.
You are the master of everything about web.
Did you know that, you can see with Google Chrome Developers Tool whatever is posted ( it is supposed to be hidden but its not anymore ) to a webpage? You probably know it but,
 if you check on Google Chrome > Tools > More Tools > Developers Tools you can see if you click Preserve Log Under Network ribbon everything a page posted ( hidden or not ) you see everything a page posts...

thank you so much again
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Julian Hansen

You can't rely on this - the actual post comes from a browser sends a REFERER string in the Header - this can be very easily spoofed.

You should probably be looking at CSRF (Cross Site Request Forgery) as well to prevent posts from unwanted sources.

Dear Julian Hansen,
Ray Paseur mentioned that too..
Thank you for the comment, I will search for the CSRF on the web. Thank you both
Julian Hansen

So - he did - I missed that .
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Ray Paseur

You're welcome, of course.  And yes, Chrome Dev Tools are very helpful!

Before you spend too much time surfing the web for CSRF, read this article.  It might have everything you need to know, all in one place!