Block Curl access to my server?

Asked

Viewed 757 times

0

Is it possible to block Curl access to my server ? Example I have a VIP site with a user-generated security key and prevent anyone from logging through the system via Curl ? I tested with captcha and still can log via key with Curl

  • With captcha and still you can? Shows the sff code, it can be the check of that server side capcha that is wrong. You are saving what is displayed on captcha in session?

  • it seems that the problem is not blocking Curl... is a poorly implemented captcha

1 answer

3


If you have access to htaccess file add that line to it:

<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "www.seudominio.com"
</IfModule>

If not, you will have to add this manually to your PHP files

header('Access-Control-Allow-Origin: www.seudominio.com'); 

the Access Control Allow Origin will cause your site to accept only requests from the specified domains, if you set the value with * it will accept requests from any site. Test there to see if it works.

If the above example does not work you can check a request through a hash, example:

  1. When you open the login screen you create a Session with a hash.
  2. On the page that receives and validates the login data you check the existence of that Session.

I do not know how safe this method would be, but if it is only to avoid requests for scripts I believe it will work since the user will not be validated if the post is done via Curl to the PHP page.

You can also take a look at functions like the CURLOPT_HTTPHEADERtake a look at this question: https://stackoverflow.com/a/9391270/6907051

  • Leo did not work I can still cheat the system via Curl even with the steps you informed me above !

  • I added a few more options, blocking Curl requests is a bit difficult, the best way would be to create a hash to validate the login

  • Obg friend, it seems that worked the first only that Curl did not update at the time.

  • That is not enough. Adding a hash will suffice for CURL to capture the hash before, i.e., CURL-1 takes the Hash and CURL-2 uses the captured hash and uses the same cookies, simple as that. The Access Control Allow Origin only affects the client-side, CURL runs outside the domain of a website. The only way (and yet complex) would be to make a javascript that generates a unique access code on the client side, even though it is not as efficient, see this here.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.