Hey,
I feel dumb right now.
Is there any reliable way to verify the origin domain of an ajax request? 🤔
The HTTP referer header isn't reliable - so is there any way? Public credentials without domain verification are useless.
I really feel dumb. 🙈💩
I think there must be a way. I know that many Google APIs (maps & reCaptcha for sure) have domain verification, I doubt it is as easy to break as referrer spoofing. I will see if I can work out how!
Yes, oAuth2, Google APIs, Facebook APIs do it. I don't want to believe that they only use something this vulnerable as the referer header. 🤔
Because all requests will be CORS the origin header will be sent. But this one is still fakeable and not reliable. 😕🤔
Like in all those threads: HTTP is plain text and because of this always fakeable. 🙃
See the response here: Is CORS a secure way to do cross-domain AJAX requests?
I was going to ask the use case, since, if you're trying to protect the data you should probably protect it with SSL Client certificate or some other authentication method.
@Gummibeer did you ever find a way to solve this? Would love to know the solution (as I'm sure the few people finding this thread on Google would 👋)!
Hey,
sorry - yeah, like expected there's no reliable way to do this. The origin header for CSR is secure and reliable as long as the request is originated in a browser.
On CLI via curl for example you can for sure manipulate every header.
So, for my case the solution is a combination:
Origin headerOrigin header