Can domain be faked or altered when making an AJAX or CURL call?

Asked Aug 24 '15 at 11:59

Active Aug 24 '15 at 11:59

Viewed 30 times

In my CMS, I left a way to make API calls to the system using specific URL structure, such as http://example.com/global/api/api_name

In the system, I need to know if the request was made from the same domain or any other to differentiate an in-site call and an out-site call.

Currently, I do this extracting the DOMAIN name from the URL from which the request was made using PHP and then simply compare the DOMAIN name with site's DOMAIN name to take decision.

if($_SERVER['HTTP_REFERER'] && strpos($_SERVER['HTTP_REFERER'],url()) == 0){
//this site
}
else{
//I don't serve aliens
}

I need to know, if hackers can alter their domain names to mine and can make the call?

What would be much better way to distinguish the two callers? :)

asked Aug 24 '15 at 11:59

Tanmay Chakrabarty

To answer the title yes it's possible to alter domain in AJAX. This is because AJAX is JavaScript and therefore client-side. So when the script is loaded the domain can be edited in the loaded file and be executed – SuperDJ Aug 24 '15 at 12:04
Ok, thanks. But any suggestion on what I am desiring here? I mean, what to do or how to secure my calls to APIs? – Tanmay Chakrabarty Aug 25 '15 at 15:10

Can domain be faked or altered when making an AJAX or CURL call?

0 Answers0