问题
I want to create an API, and to authenticate API consumers, I will provide an API KEY, App-id and App-Secret. The problem is that I want to know where the http Request is coming from, so that I can know if the Host that is making que request is the registered Host. For example : www.someone.com has an app-id :0001, app-secret:1200 and api-key:458. If this credentials are used to make A request, I want to know if the requester is really www.someone.com
回答1:
Use $_SERVER['HTTP_REFERER']. It is the address of the page (if any) which referred the user agent to the current page. This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature.
For further restrictions you can perform the following. example.com should be changed to your domain.
IIS set below in web config:
add name="Access-Control-Allow-Origin" value="http://www.example.com"
Apache set below in httpd.conf/apache.conf
Header add Access-Control-Allow-Origin "http://www.example.com"
回答2:
Generally, this header should do the job. Having the domain name in this header
header("Access-Control-Allow-Origin: " . $_SERVER['HTTP_ORIGIN'] . "");
// use domain name instead of $_SERVER['HTTP_ORIGIN'] above
but if you want to check for more info, use something like the following snippet
$allowed = array('domain1', 'domain2', 'domain3');
if(isset($_SERVER['HTTP_ORIGIN']) && in_array($_SERVER['HTTP_ORIGIN'], $allowed)){
// SELECT credentials for this user account from database
if(isset($_GET['api_key'], $_GET['app_secret'])
&& $_GET['api_key'] == 'api_key_from_db'
&& $_GET['app_secret'] == 'app_secret_from_db'
){
// all fine
}else{
// not allowed
}
}else{
// not allowed
}
If the users have to pass more data to your service, use POST instead of GET
回答3:
Laravel 5: in request method controller:
$origin = request()->headers->get('origin');
回答4:
I think what you mean is that you want to access the "Origin" header in the request headers (as opposed to setting it in the response headers).
For this the easiest way is to access the built in getallheaders() function - which is an alias for apache_request_headers() - N.B. this is assuming you are using php as a module.
This returns an array so the Origin header should be available like this:
$request_headers = getallheaders();
$origin = $request_headers['Origin'];
If you are using php via something like fastcgi then I believe it would be made available in the environment - usually capitalised and prefixed by "HTTP_" so it should be $_SERVER['HTTP_ORIGIN'].
Hope that helps anyone else looking for this :)
回答5:
Using a var_dump you can see all that the request has to offer.
var_dump($_REQUEST);
Do a var_dump on the server global as well. It contains alot of usefull information.
var_dump($_SERVER);
来源:https://stackoverflow.com/questions/25520085/how-to-get-http-request-origin-in-php