Skip to content

Instantly share code, notes, and snippets.

@shimarin

shimarin/origin.php

Last active September 23, 2016 13:49
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save shimarin/f8b2f1d429eacbad58b6cee2079fbd05 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save shimarin/f8b2f1d429eacbad58b6cee2079fbd05 to your computer and use it in GitHub Desktop.
Download ZIP
stateless csrf(via xhr) prevention
Raw
origin.php
if (isset($_SERVER["HTTP_ORIGIN"])) {
if (parse_url(explode(",",$_SERVER["HTTP_ORIGIN"])[0], PHP_URL_HOST) != $_SERVER["SERVER_NAME"]) {
header("HTTP/1.1 403 Forbidden");
exit;
}
}
// XHRで必ず呼ばれるはずのリクエストについてはコレも付ける
if (!isset($_SERVER["HTTP_X_REQUESTED_WITH"]) || $_SERVER["HTTP_X_REQUESTED_WITH"] != "XMLHttpRequest") {
header("HTTP/1.1 403 Forbidden");
exit;
}
Raw
xrw.js
myModule.config(function($httpProvider) {
$httpProvider.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment