K
K
Kirill Ozeretskovsky2019-12-12 21:44:29
Web servers
Kirill Ozeretskovsky, 2019-12-12 21:44:29

If the server has a check for an HTTP referer, will this be an additional (or main) measure for distributing access to the API?

I want to distribute some data from my server, so I want to create an API, but replace the Token with a check from which resource the "client" requested - HTTP Referer. Is it possible to fake all this - in the sense of a request from a server that does not have the right to take data? The main idea is that service clients could be created even on GIT page hosting, like GitHub Pages or GitLab, in the first one you will have to write a token to the repository (I don’t know about the second one) and, it turns out, risk being used by attackers.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
X
xmoonlight, 2019-12-12
@xmoonlight

100% - you can fake it.
Don't even think about doing it.

The main idea is that service clients could be created even on GIT page hosts, like GitHub Pages or GitLab,
fetch(), iframe, etc.
Or see here

V
Vladimir Korotenko, 2019-12-12
@firedragon

This is protection from honest people

curl --referer http://example.com/bot.html http://www.cyberciti.biz/

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question