How to deny access to my server end points ? (PHP)

How to deny access to my server end points ? (PHP)



I've developed some software installed e.g. on www.example.com. It's accessed via an HTML web page. Some HTML buttons can call PHP end points which are also on that domain. I use JWT to secure login.


www.example.com



But what I also want to do is only allow access to the end points from the office, so I'm trying to get the PHP to block any access from other domains. But of course since the software is hosted from www.example.com domain, it sends end point requests from that domain, which is what I think has so far thwarted my current attempts.


www.example.com



I tried


header('Access-Control-Allow-Origin: https://www.example.com');



but don't think it will work for the above reason. It certainly doesn't block the end point when I try to access it via the www.example.com domain web interface, despite which computer network I use.


www.example.com



Maybe instead I have to check the client IP within the PHP and deny access if it doesn't match. But what if there's dynamic IP's and the IP's could change given enough time. Is there a way round that?



Any help appreciated.





Your question is quite unclear to me... People visit www.example.com. This will make requests to your webserver, both for static files (HTML), and your PHP endpoints (the user clicks some button specified by said HTML). Who exactly do you want to block? Do you only want to allow people from your office to visit your site?
– marcelm
Sep 3 at 22:53





@marcelm yes, I want it to be hosted on my clients server for convenience and to use a database on the server, but only allow use by the office IP address. I solved this by setting up a '.htaccess' file in the root '/projects/' folder which contains all the PHP and HTML files. I wanted to protect the end points in particular. From the accepted answer I was able to discern this solution. It's very simple and works. Occam's Razor for me :-)
– Antinous
Sep 4 at 5:09





3 Answers
3



First, regarding what you have tried already:



header('Access-Control-Allow-Origin: https://www.example.com');


header('Access-Control-Allow-Origin: https://www.example.com');



This will fail for a number of reasons:


CORS


CORS


curl


postman



IP Filtering



In a case like this the best bet is to simply filter by ip address, which you mentioned. Generally offices have static IP addresses or change rarely, so it is actually quite feasible to do. Presuming the entire office is NATed behind one router/ip address then it is quite simple because you just need the one rule: dump all traffic except port 80 (443?) coming from the office IP. You probably shouldn't bother doing this with PHP, however, because for PHP to reject the request on the basis of the IP address first requires your server to process the request, launch PHP, and pass it along. A simple firewall rule is much easier on server resources. Dynamic office IP addresses are almost unheard of, so unless you know that that is the situation for you, I wouldn't worry about it.





Thank you. I had my reservations about Access-Control, as I'd read it was not designed to restrict access, or something like that. I will give IP filtering a go from behing the firewall. Ideally I would need to filter only a portion of the domain, e.g. https://www.example.com/projects/
– Antinous
Sep 3 at 13:45



https://www.example.com/projects/





I may be able to achieve this by creating a .htaccess file in my /projects/ server folder (possibly)
– Antinous
Sep 3 at 14:51


/projects/





You probably can, and it will get you slightly performance than with PHP, although not necessarily as much as you think. Apache loads up the PHP interpreter for every request, so your footprint is still large. However, that isn't me saying that is a bad idea. For small applications server resources are rarely a problem, so using .htaccess or even PHP are unlikely to cause you actual problems.
– Conor Mancone
Sep 3 at 15:50





resources aren't really a problem, but this is something to bear in mind for future work.
– Antinous
Sep 3 at 16:05



Your idea on the domains is rather wrong. You need to understand one essential thing about a web server.



There is no such thing like "an access from a domain". It is not a "software" which is sending requests to endpoints but a client (which is usually a browser). A client may read some information from your server first, but it's unnecessary.



Long story short, you cannot limit an access to your endpoints "from a domain".



The idea for the ip address is more fruitful, and more plausible than you think. Offices seldom change their IP, least they use a dynamical one. So you can limit access to the whole www.example.com server (not only endpoints) based on the IP address of your office.



Though there is another culprit, as IP address can be forged, and thus it is possible to create a request that will be allowed to send something to your endpoint (however without the ability to get the response).



But I would consider such a protection rather unnecessary given you are using JWT for the authentication (and, I assume, HTTPS for the secured connection).





Thank you. Yes, I knew my understanding of the basic principles was incorrect. I am using SSL/TLS for communication and JWT for authentication, but my client is requesting I block access from outside their IP.
– Antinous
Sep 3 at 13:45




Ok, this is how I solved the problem:



In your server's File Manager, in the folder you wish to restrict access, create a new .htaccess file and add the following lines:


.htaccess


Order Deny, Allow
Deny from all
Allow from 1.2.3.4



where 1.2.3.4 is the IP address you wish to allow.


1.2.3.4



You can grant additional access by comma separating IP addresses or if that doesn't work just use additional Allow from lines.


Allow from



I believe you can also add wildcard IP addresses too.



Thanks for contributing an answer to Information Security Stack Exchange!



But avoid



To learn more, see our tips on writing great answers.



Some of your past answers have not been well-received, and you're in danger of being blocked from answering.



Please pay close attention to the following guidance:



But avoid



To learn more, see our tips on writing great answers.



Required, but never shown



Required, but never shown




By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

𛂒𛀶,𛀽𛀑𛂀𛃧𛂓𛀙𛃆𛃑𛃷𛂟𛁡𛀢𛀟𛁤𛂽𛁕𛁪𛂟𛂯,𛁞𛂧𛀴𛁄𛁠𛁼𛂿𛀤 𛂘,𛁺𛂾𛃭𛃭𛃵𛀺,𛂣𛃍𛂖𛃶 𛀸𛃀𛂖𛁶𛁏𛁚 𛂢𛂞 𛁰𛂆𛀔,𛁸𛀽𛁓𛃋𛂇𛃧𛀧𛃣𛂐𛃇,𛂂𛃻𛃲𛁬𛃞𛀧𛃃𛀅 𛂭𛁠𛁡𛃇𛀷𛃓𛁥,𛁙𛁘𛁞𛃸𛁸𛃣𛁜,𛂛,𛃿,𛁯𛂘𛂌𛃛𛁱𛃌𛂈𛂇 𛁊𛃲,𛀕𛃴𛀜 𛀶𛂆𛀶𛃟𛂉𛀣,𛂐𛁞𛁾 𛁷𛂑𛁳𛂯𛀬𛃅,𛃶𛁼

𛀝𛂎𛃩𛁂𛂯𛀋𛃈,𛁴,𛀡𛃕𛁀𛀆𛀝𛀊𛀚𛃍𛂯𛂸𛁞𛂪𛀈,𛂵,𛀞𛂢𛀯𛃂𛁱 𛃩𛂜𛃅 𛂧𛀧𛂦𛀑,𛃛𛃟,𛃍𛀔𛀣𛀶𛀪𛃱𛀓𛀅𛁱,𛂖 𛁷 𛁉𛂹𛀉𛀼 𛁎,𛃭 𛀣𛃫𛃯𛁸𛂸𛂰𛂣𛀯𛁩𛂂𛃓𛃿𛂽𛃤𛃢𛁂𛀺 𛂚𛀅𛃵𛁬𛃽𛃯𛂔𛃣𛃝𛂫 𛂖𛂾𛂈 𛂡𛁔𛀇𛁁𛃛𛃖 𛃜,𛁊𛂠𛀌𛁼𛃶𛃣𛃊𛀘𛂐𛃓𛃛𛁂𛂥𛃛𛂲,𛃄𛀗𛀪𛁘𛁉𛁫𛀲𛀕𛂍𛁓𛁏𛃿𛃔𛁼 𛀞𛀤 𛂏𛃚𛃎 𛃱𛀭𛀟𛂃𛀭𛀫𛃚 𛂻𛁄 𛃚𛂁 𛂀𛂈𛃒𛁼𛃏𛂣𛂔,𛁩𛂝,𛁎,𛂗,𛂧𛃁𛃷𛁜𛃭𛂙𛂣𛀱𛂢𛁔𛁥𛂘𛃏𛀇𛂅𛁗𛃅𛂷𛃬𛁹𛁭,𛀵𛁍,𛃂𛁣𛁡𛃉𛀳𛀜𛁢 𛀲 𛁐𛀊𛁷𛃃𛃔𛀃𛃄𛃙𛀩𛃖𛂮𛃷𛀚𛂚𛃜𛁘,𛁤𛁵𛀝𛂮𛁲𛃸𛂩𛂼𛂠,𛁖𛃸𛀯,𛁰𛁇𛃣,𛃨𛂦𛀫𛃁 𛂓𛃁𛃥𛃰𛁅𛂻𛂻 𛁃𛁺𛃤𛀏 𛃻𛃽 jKH8N2gXPW4,5NtI,zi C6C,8 LtJ9 h5T40,Y 29W,8IH3pJwKf Q32PJw73ZM7a 7,0EI,5Hu NBOF x,V,Zan l 51Vm,1,o6 zHC69UbfzB6dS62,fvHKgJsOHeC 7 u Z,5,b510gw756DJ0K3 NLBCejw,1s12o037 gLrqm,8JV5,0HH7y8,5n1W5 oN943 0,EdU7tbRJ74 8DXtjBp0,KnM,2S,8 V4Ph1H2 Yb6FxtA,M,3qXGu2094wS GvlV4l,HFrZ D76u3,kr9E,ij4jFFOb 49,dJKN,V Kv,V4,a8wm,d2U8 9,Nx,vO98,JX,uO3,Y,Y1ay74uomg,7Tt5XFU TKTZ28,0C7LbNuU FhgfO3,4n E,l MSI03CLgM9D,Abr E 7sR0J,6,07N A2u 7,6Q PpzEZ1wKZN YAd759p,31UtJ63dBF3p 0,EZL 4FjbJ l Qep zHs63,u2f6xSKS Vz2Q O,9zIlq0J 9PR
Read more

Edmonton

Image
Clash Royale CLAN TAG #URR8PPP This article is about the city in Canada. For other uses, see Edmonton (disambiguation). City in Alberta, Canada Edmonton City City of Edmonton From top left: Downtown Edmonton, Fort Edmonton Park, Legislature Building, Law Courts, Rogers Place, High Level Bridge, Muttart Conservatory Flag Coat of arms Logo Nickname(s):  Canada's Festival City, City of Champions, The Oil Capital of Canada more... [1] Motto(s):  Industry, Integrity, Progress Edmonton Location of Edmonton in Canada Show map of Canada Edmonton Edmonton (Alberta) Show map of Alberta Coordinates: 53°32′N 113°30′W  /  53.533°N 113.500°W  / 53.533; -113.500 Coordinates: 53°32′N 113°30′W  /  53.533°N 113.500°W  / 53.533; -113.500 Country Canada Province Alberta Region Edmonton Metropolitan Region Census division 11 Founded 1795 Incorporated [2] [3]    • Town January 9, 1892  • City October 8, 1904 Amalgamated [2] February 12, 1912 Named for Edmonton, London Government  • Mayor Don I
Read more

Crossroads (UK TV series)

Image
[dummy-text] Crossroads (UK TV series) From Wikipedia, the free encyclopedia Jump to navigation Jump to search For other uses, see Crossroads (disambiguation). "Crossroads Motel" redirects here. For the album by the Sonny Moorman Group, see Crossroads Motel (album). Crossroads 2003 title sequence Created by Hazel Adair Peter Ling Written by Michala Crees Ivor Jay Rosalie Grayson Raymond Bowers David Garfield Edward F. Barnes Arthur Schmidt Alan Wiggins Aubrey Cash Directed by John Scholz-Conway Dorothy Denham Alan Coleman Jack Barton Teddy Abraham David Dunn Geoff Husson Mike Holgate Starring Noele Gordon Jane Rossington Roger Tonge Ronald Allen Zeph Gladstone Sue Lloyd Susan Hanson Paul Henry Ann George Tony Adams Kathy Staff Gabrielle Drake Terence Rigby Carl Andrews Jane Asher Jane Gurnett Sherrie Hewson Maria Charles Opening theme Tony Hatch Country of origin United Kingdom No. of episodes Original Series: 4510
Read more