How to deny access to my server end points ? (PHP)

How to deny access to my server end points ? (PHP)



I've developed some software installed e.g. on www.example.com. It's accessed via an HTML web page. Some HTML buttons can call PHP end points which are also on that domain. I use JWT to secure login.


www.example.com



But what I also want to do is only allow access to the end points from the office, so I'm trying to get the PHP to block any access from other domains. But of course since the software is hosted from www.example.com domain, it sends end point requests from that domain, which is what I think has so far thwarted my current attempts.


www.example.com



I tried


header('Access-Control-Allow-Origin: https://www.example.com');



but don't think it will work for the above reason. It certainly doesn't block the end point when I try to access it via the www.example.com domain web interface, despite which computer network I use.


www.example.com



Maybe instead I have to check the client IP within the PHP and deny access if it doesn't match. But what if there's dynamic IP's and the IP's could change given enough time. Is there a way round that?



Any help appreciated.





Your question is quite unclear to me... People visit www.example.com. This will make requests to your webserver, both for static files (HTML), and your PHP endpoints (the user clicks some button specified by said HTML). Who exactly do you want to block? Do you only want to allow people from your office to visit your site?
– marcelm
Sep 3 at 22:53





@marcelm yes, I want it to be hosted on my clients server for convenience and to use a database on the server, but only allow use by the office IP address. I solved this by setting up a '.htaccess' file in the root '/projects/' folder which contains all the PHP and HTML files. I wanted to protect the end points in particular. From the accepted answer I was able to discern this solution. It's very simple and works. Occam's Razor for me :-)
– Antinous
Sep 4 at 5:09





3 Answers
3



First, regarding what you have tried already:



header('Access-Control-Allow-Origin: https://www.example.com');


header('Access-Control-Allow-Origin: https://www.example.com');



This will fail for a number of reasons:


CORS


CORS


curl


postman



IP Filtering



In a case like this the best bet is to simply filter by ip address, which you mentioned. Generally offices have static IP addresses or change rarely, so it is actually quite feasible to do. Presuming the entire office is NATed behind one router/ip address then it is quite simple because you just need the one rule: dump all traffic except port 80 (443?) coming from the office IP. You probably shouldn't bother doing this with PHP, however, because for PHP to reject the request on the basis of the IP address first requires your server to process the request, launch PHP, and pass it along. A simple firewall rule is much easier on server resources. Dynamic office IP addresses are almost unheard of, so unless you know that that is the situation for you, I wouldn't worry about it.





Thank you. I had my reservations about Access-Control, as I'd read it was not designed to restrict access, or something like that. I will give IP filtering a go from behing the firewall. Ideally I would need to filter only a portion of the domain, e.g. https://www.example.com/projects/
– Antinous
Sep 3 at 13:45



https://www.example.com/projects/





I may be able to achieve this by creating a .htaccess file in my /projects/ server folder (possibly)
– Antinous
Sep 3 at 14:51


/projects/





You probably can, and it will get you slightly performance than with PHP, although not necessarily as much as you think. Apache loads up the PHP interpreter for every request, so your footprint is still large. However, that isn't me saying that is a bad idea. For small applications server resources are rarely a problem, so using .htaccess or even PHP are unlikely to cause you actual problems.
– Conor Mancone
Sep 3 at 15:50





resources aren't really a problem, but this is something to bear in mind for future work.
– Antinous
Sep 3 at 16:05



Your idea on the domains is rather wrong. You need to understand one essential thing about a web server.



There is no such thing like "an access from a domain". It is not a "software" which is sending requests to endpoints but a client (which is usually a browser). A client may read some information from your server first, but it's unnecessary.



Long story short, you cannot limit an access to your endpoints "from a domain".



The idea for the ip address is more fruitful, and more plausible than you think. Offices seldom change their IP, least they use a dynamical one. So you can limit access to the whole www.example.com server (not only endpoints) based on the IP address of your office.



Though there is another culprit, as IP address can be forged, and thus it is possible to create a request that will be allowed to send something to your endpoint (however without the ability to get the response).



But I would consider such a protection rather unnecessary given you are using JWT for the authentication (and, I assume, HTTPS for the secured connection).





Thank you. Yes, I knew my understanding of the basic principles was incorrect. I am using SSL/TLS for communication and JWT for authentication, but my client is requesting I block access from outside their IP.
– Antinous
Sep 3 at 13:45




Ok, this is how I solved the problem:



In your server's File Manager, in the folder you wish to restrict access, create a new .htaccess file and add the following lines:


.htaccess


Order Deny, Allow
Deny from all
Allow from 1.2.3.4



where 1.2.3.4 is the IP address you wish to allow.


1.2.3.4



You can grant additional access by comma separating IP addresses or if that doesn't work just use additional Allow from lines.


Allow from



I believe you can also add wildcard IP addresses too.



Thanks for contributing an answer to Information Security Stack Exchange!



But avoid



To learn more, see our tips on writing great answers.



Some of your past answers have not been well-received, and you're in danger of being blocked from answering.



Please pay close attention to the following guidance:



But avoid



To learn more, see our tips on writing great answers.



Required, but never shown



Required, but never shown




By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Popular posts from this blog

𛂒𛀶,𛀽𛀑𛂀𛃧𛂓𛀙𛃆𛃑𛃷𛂟𛁡𛀢𛀟𛁤𛂽𛁕𛁪𛂟𛂯,𛁞𛂧𛀴𛁄𛁠𛁼𛂿𛀤 𛂘,𛁺𛂾𛃭𛃭𛃵𛀺,𛂣𛃍𛂖𛃶 𛀸𛃀𛂖𛁶𛁏𛁚 𛂢𛂞 𛁰𛂆𛀔,𛁸𛀽𛁓𛃋𛂇𛃧𛀧𛃣𛂐𛃇,𛂂𛃻𛃲𛁬𛃞𛀧𛃃𛀅 𛂭𛁠𛁡𛃇𛀷𛃓𛁥,𛁙𛁘𛁞𛃸𛁸𛃣𛁜,𛂛,𛃿,𛁯𛂘𛂌𛃛𛁱𛃌𛂈𛂇 𛁊𛃲,𛀕𛃴𛀜 𛀶𛂆𛀶𛃟𛂉𛀣,𛂐𛁞𛁾 𛁷𛂑𛁳𛂯𛀬𛃅,𛃶𛁼

Crossroads (UK TV series)

ữḛḳṊẴ ẋ,Ẩṙ,ỹḛẪẠứụỿṞṦ,Ṉẍừ,ứ Ị,Ḵ,ṏ ṇỪḎḰṰọửḊ ṾḨḮữẑỶṑỗḮṣṉẃ Ữẩụ,ṓ,ḹẕḪḫỞṿḭ ỒṱṨẁṋṜ ḅẈ ṉ ứṀḱṑỒḵ,ḏ,ḊḖỹẊ Ẻḷổ,ṥ ẔḲẪụḣể Ṱ ḭỏựẶ Ồ Ṩ,ẂḿṡḾồ ỗṗṡịṞẤḵṽẃ ṸḒẄẘ,ủẞẵṦṟầṓế