In my CMS, I left a way to make API calls to the system using specific URL structure, such as http://example.com/global/api/api_name
In the system, I need to know if the request was made from the same domain or any other to differentiate an in-site call and an out-site call.
Currently, I do this extracting the DOMAIN name from the URL from which the request was made using PHP and then simply compare the DOMAIN name with site's DOMAIN name to take decision.
if($_SERVER['HTTP_REFERER'] && strpos($_SERVER['HTTP_REFERER'],url()) == 0){
//this site
}
else{
//I don't serve aliens
}
I need to know, if hackers can alter their domain names to mine and can make the call?
What would be much better way to distinguish the two callers? :)