Is there any way I can limit third-party POST submission to my site? To deny all, type exists the cURL that does this like a robbery, but I wanted to inhibit, does it have?
When I say third, I say come from another site that is not mine.
Is there any way I can limit third-party POST submission to my site? To deny all, type exists the cURL that does this like a robbery, but I wanted to inhibit, does it have?
When I say third, I say come from another site that is not mine.
For any measure of your own, think of two savings: First, the cost of doing nothing (high for a bank, down for a blog). measurement cost (development, maintenance, friction for legitimate users). Second, measures increase the cost of the attacker more than the cost to you and your users. Security is never absolute and always a compromise.
Forms are abused by flooding manually or automated. Any attack will be as close as possible to a legitimate request - the attacker's effort will depend on the reward.
Remember that HTTP is stateless
, stateless. At first, each call you receive without prior history and must prove that you have already approved the issuer before:
POST
attribute of a session that exists on the server - third parties have to guess or steal the ID of an active session on the server) 1 Everything related to IP can be fooled by using multiple IPs, VPNs or acquiring a new IP.
Effective is to check the "dns reverse lookup". In your hosting provider, configure or ask for the "dns reverse lookup" or "dns reverse" in Portuguese.
Then whenever you receive a request (POST, GET), check the "dns reverse lookup" for IP.
In PHP there are network functions like gethostbyname, gethostbyaddr and dns_get_record with which you can extract the data to aid in "authentication".
Note that the "dns reverse lookup" can also be circumvented, so do not trust 100% as an absolute solution. However, it is much safer than just checking HTTP_REFERER. HTTP_REFERER is easily manipulated, including CURL has the option to do so. But the reverse dns requires changing the configuration of the server that submits the data.
We can say that 99.999% of the bots can not change the reverse dns of the servers they use because, logistically, the bots target millions of servers and need to modify millions of times the reverse dns of the servers by which they execute their scripts. It is not feasible due to the high cost.
Example, if your site has the address www.seu.site, set the reverse dns to "www.seu.site". In a shared hosting server, it is not usually possible to customize, but you can ask the company that administers the server to at least configure the reverse dns so that a valid name is returned. Usually it gets something like "address.provider.hosting".