How to verify AJAX request origin domain

How to verify AJAX request origin domain

Gummibeer

Astroneer
Moderator
Local time
04:22
Joined
Oct 5, 2019
Messages
1,161
Pronouns
he/him

Hey,

I feel dumb right now.
Is there any reliable way to verify the origin domain of an ajax request? 🤔

The HTTP referer header isn't reliable - so is there any way? Public credentials without domain verification are useless.

I really feel dumb. 🙈💩

 

Adam

Mr. Webwide
Administrator
Local time
03:22
Joined
Sep 24, 2019
Messages
1,252
Pronouns
he/him

I think there must be a way. I know that many Google APIs (maps & reCaptcha for sure) have domain verification, I doubt it is as easy to break as referrer spoofing. I will see if I can work out how!

 

Gummibeer

Astroneer
Moderator
Local time
04:22
Joined
Oct 5, 2019
Messages
1,161
Pronouns
he/him

I think there must be a way. I know that many Google APIs (maps & reCaptcha for sure) have domain verification, I doubt it is as easy to break as referrer spoofing. I will see if I can work out how!
Yes, oAuth2, Google APIs, Facebook APIs do it. I don't want to believe that they only use something this vulnerable as the referer header. 🤔
Primary because it's even without malicious intentions not reliable because a lot of privacy add-ons/browsers simply suppress it which is intended by RFC.

 

Gummibeer

Astroneer
Moderator
Local time
04:22
Joined
Oct 5, 2019
Messages
1,161
Pronouns
he/him

Because all requests will be CORS the origin header will be sent. But this one is still fakeable and not reliable. 😕🤔
Like in all those threads: HTTP is plain text and because of this always fakeable. 🙃

 

Adam

Mr. Webwide
Administrator
Local time
03:22
Joined
Sep 24, 2019
Messages
1,252
Pronouns
he/him

@Gummibeer did you ever find a way to solve this? Would love to know the solution (as I'm sure the few people finding this thread on Google would 👋)!

 
Last edited:

Gummibeer

Astroneer
Moderator
Local time
04:22
Joined
Oct 5, 2019
Messages
1,161
Pronouns
he/him

Hey,
sorry - yeah, like expected there's no reliable way to do this. The origin header for CSR is secure and reliable as long as the request is originated in a browser.
On CLI via curl for example you can for sure manipulate every header.
So, for my case the solution is a combination:

  • enforce Origin header
  • validate Origin header
  • use public API-token which is bound to a specific domain
  • use Akismet as anti-spam tool for incoming data

For sure there's still the way for every "Hacker" to post valid data to the API via CLI. But the application isn't any financial stuf - only comments, mentions and so on. So I will live with it for the moment and see how it works on production.

 
Top