Get domain of a POST request

Question

I have a script that makes a POST request to my website from other websites (different domains) and I need to know if it's possible to get what's that other domain.

Like: helloworld.com uses my script and it executes a POST request with mywebsite.com. How does mywebsite.com know that the request is from helloworld.com?

I have tried with $_SERVER['REMOTE_HOST'] but that's not working.

Answer 1

You need to inspect the HTTP referrer.

In PHP this would be $_SERVER['HTTP_REFERER'];.

In JavaScript, this would be document.referrer.

Note that it can be inaccurate and is easy to be spoofed, so it's value should be taken with a pinch of salt.

---

To provide a little bit more detail on how you can do this reliably (albeit with the cooperation of the remote server):

1. Let secret be a arbitrary string (abc123).
2. Let key be a random string which is unique to each request (e.g. the current time)
3. Generate token by md5(secret + key).
4. Have the remote server include key and token (but not secret) in the POST request.
5. On your server, ensure that md5(secret + key) === token

Because no-one knows the secret, you can guarantee that the request originated from the remote server. Of course, it's then possible for someone to request the form from the remote server, steal the key and token, and then forward the request to yourself...

Answer 2

You should use HTTP_REFERER. But it can not be trusted fully

$_SERVER['HTTP_REFERER']

Take a look here, where it is documented: http://php.net/manual/en/reserved.variables.server.php