PHP Allow access to specific referrer url/page only

Question

So my question is simple ive used the following method for allowing access to the php script via the referrer\'s domain name but i want to allow access for only referrers ma

Answer 1

What is it that you are trying to protect?

You should never trust HTTP_REFERER as it can be spoofed (as others have pointed out). Also some firewalls and security software will rewrite or remove the referer, and not all browsers report it properly.

If it's sensitive data then personally I would pass a hash between pages.

Answer 2

It will not be safe because referrer data can be easily spoofed. However, if it still fits your needs, then you should be fine with your code already, since $_SERVER['HTTP_REFERER'] contains the full referrer URL and not just the domain. Actually, your present code needs some adjustments because it can't work like that:

<?php
// This is to check if the request is coming from a specific domain
$ref = $_SERVER['HTTP_REFERER'];
$refData = parse_url($ref);

if($refData['host'] !== 'domain.com') {
  // Output string and stop execution
  die("Hotlinking not permitted");
}

echo "Executing code here";
?>

Note that if you check if HTTP_REFERER is set before checking if it's what you want, people would get to your script without any referrer set at all, so you should check it in any case. Now, checking for a specific URL is much simpler:

<?php
// This is to check if the request is coming from a specific URL
$ref = $_SERVER['HTTP_REFERER'];

if($ref !== 'http://domain.com/page.html') {
  die("Hotlinking not permitted");
}

echo "Executing code here";
?>