How to confirm that the request was made through the site securely

Hello,

It is not possible to create a system that guarantees 100% that the request was made from a page of your site, because technically no requests are made "from your site" while the user is browsing, since all requests are made by browser, that is, by the client. And everything that comes from the client is liable to be manipulable.

The only way would be if the request was literally made by the server, ie you make a request using eg. PHP curl direct to a url of your application, but I understand that this escapes the purpose of your questioning.

  

Conclusion: It is not possible to have 100% guarantee of origin of a   HTTP request from a client that is not controlled by you or the   your own application.

Following is a diagram illustrating:

There are two points to consider, one of which has a solution:

• I want to prevent another website from sending a request to my site:

    

  A website ( malicioso.com ) is making requests for seusite.com , taking advantage even of user-initiated sessions on your site.

• I want to prevent you from submitting requests to my site being out of it .

    

  Software that is not a browser (for example, curl ) is making requests for seusite.com , typically automatically and non-human.

The first case is a website that runs on the client side such a request, for example:

malicioso.com:
 <img src="http://seusite.com/deletar_conta.php">

Whenyouaccessthepageitwillcallyourpage.ThiscouldbedonewithAJAXoranyothermethod,aslongasitrunsontheclientside,inthebrowseroftheuserwhoisaccessingthemalicioso.com.

Solutions:

Faciesandapplicableingeneraluse,withlowimpacttotheuser:

• AddheaderfromX-Frame-OptionstoDENY

    

  Thiswillpreventanothersitefrommakingaiframeofyourwebsite.

• AddCSRF-Token(usingaCSPRNG)onallforms.

    

  ThemalicioussitewillnothaveaccesstotheCSRF-Tokenunlessthereisanothervulnerability,suchasXSS.

• AddtheflagfromSameSitetostrictinthesessioncookie(notsupportednativelybyPHP,butcandothismanually):

    

  Therequestmadeforyoursitewillnothavecookies,butthisisstillanexperimentalfeatureandnotsupportedineverybrowser.

Moderate,withlowimpactfortheuser:

• Sendapublickey(RSAcase)orcommonkey(HMACorAES-GCMcase)totheuseranduseittomakecallsviaAJAX.

    

  ThekeywillbeinthebodyofthepageorinthelocalStorageandwillbeusedtosign/encrypttheinformation,themalicioussitewillnothaveaccesstothisinformationunlessthereisanothervulnerability.

Difficultandhighimpactfortheuser:

• Donotusecookiesassessionsanddonotrecyclesessions.

    

  Youcanuseforexamplethewebsocket,oncetheconnectionisstarted,nootheronewiththesameidentifiercanbeopened.Anotheroptionistousesomekeyderivation,sowhentheuserlogsinbothpartiescanrecognizethegeneratedkeyuser.Bothcasesanynewrequestmadebythemaliciouswebsitewillnotbeabletotakeadvantageofanalreadyopensession.

Thesecondcaseistopreventyoufromsendingrequestsoutsidemysite,preventingthemfrombeingabletoautomateactionsorusingsoftwaresuchascURLtomakerequestsonmysite,suchas:

curl-X"POST" -d "CSRF=12345678&CONTA=12345678" -H "Cookie: sessao=ui1j3dasqwe123;" -H "Referer: seusite.com" https://seusite.com/deletar_conta.php

I want to make sure that the user has moved the mouse to the button and clicked it inside my site.

Solutions:

• There's no way

"Pseudo-Solutions":

This will not fix the problem, requests can still be made outside your site!

• Add Captcha to avoid non-human requests.

    

  This will increase the cost so that you can send the request off the website, a bot will not be able to make this request easily, but it is still possible.

       

  Normally the user will have to write in text the message displayed in image, this can be inconvenient to the user, however if it is more certain that the user really is legitimate, after all he was able to write the correct text.

• Add a PoW (ex hashcash ) to avoid automations.

    

  This is based on Bitcoin. The user must calculate a hash and this will cost computing power, increasing the cost for new requests to be made.