All geek questions in one place

What is a safe way to know the referrer / referrer in an HTTP request?

I am using nodejs to write an image upload service. Paid clients will be able to send the image file to my endpoint, which I installed on my server. However, when each request arrives, I need to confirm that it is in fact the payment client making the request. I thought that the client gave me his domain name, and I would just check the abstract header. However, someone can easily fake the referrer header and use my service without paying. How do SaaS developers face this technical issue? Is it possible to fix this without requiring my clients to have server-side code?

+6
source share
2 answers

You cannot authenticate a browser with a referrer header.

If you want to authenticate an individual, you most likely need a login system in which they provide credentials (username / pwd), and you check them against your authorized user base. If they pass, then you will set a certain type of cookie in your browser that indicates that it is a legitimate user. Subsequent requests from this user will contain this cookie, which you can check with each request.

The cookie should be what you create so that you can make sure that it cannot be easily guessed or faked (for example, a session or an encrypted token from your server). Usually you set the cookie to expire after a while so that the user logs in again.

+1
source

Are you creating an external image hosting service for websites or want to share what HAS is to be private and SECURE ? If this is the first, read on.

Of course, the title can be faked. This is why you should not worry about this:

  • The ugly alternative. To create a secure provisioning service, you will have to develop some kind of token system, which the website owner implements at the end. Most likely, he would not sign up with you, because there are simpler alternatives.

  • Counterfeiting must be done on the client side. Actually there are very few "users". Two geeks confusing headlines on their car will not be of much importance to you. If they write a proxy or a medium program that automatically does this job, and many people start using it, it can be a problem. However, this is unlikely.

Guess what you already know, but since you haven't mentioned - it's called Hotlinking . Google in this thread to find additional resources.

+2
source

Source: https://habr.com/ru/post/921584/

More articles:


All Articles