At least it was funny to see how people post such great bullshit on the internet. When that’s how you quote the source.
This code blocks the your internal access and no one’s access. You are the localhost
, not the external user. No external user communicates with you by localhost
, if that were so, everyone would be localhost
and there would be no differentiation between users accessing.
Forget it, you have no control over what others do on their computers. Any attempt to protect yourself from something external will cause further confusion. The only security you can give is to correctly validate all data that comes from outside. This depends on each case but you can not validate intention, only the received data.
There is no effective way to prevent the sending of data the way the user wants, effective is to ensure that all aspects of the received data are in accordance with what you want.
You can’t tell where the information comes from, it’s covert, always. Even the IP is possible to fake if whoever does this does not want to receive a response from your server.
I recommend you remove the "security" you use today. It’s better because it tries to validate the information, but it’s creating a problem that you don’t see. You’re preventing some legitimate access.
When you do software it is more important to test what doesn’t work. Testing is difficult because you don’t always know everything that needs to be tested. Making an analogy, in this case you are trying to find out if the person’s name is spelled correctly. It is impossible to know, it is a problem of the person and not his problem to know what is correct.
I’m amazed that even here everyone, myself included, presents simplified, naive solutions without extensive testing, that probably the people who did, if they were conscious, would not use their codes without a deeper analysis, but who reads goes out using as if the solution was perfect.
Programming is difficult, there are many variants that need to be analyzed, without understanding all the underlying problem, mainly security, will occur in droves.
Today there are campaigns to introduce new programmers into the industry. They have two objectives: 1) to create consumers for programming tools, no matter what results happen, including because wrong programming also makes the industry move; 2) to find quality in quantity, after all there is a hope that all new programmers will seek to understand the basics and all the necessary aspects.
Then question everything you read on the Internet, even what you read here. Here we have people validating the answers but it is common for people to have a low critical sense and not always this validation occur as it should. People have a tendency to want to please more than do right and everyone gets hurt by it. We can call this professional populism. They want to create an appearance of being helpful.
This is still the most likely place to get a more consistent response and develop, but I still recommend studying the workings of the protocols, using a packet parser to see how the data is trafficked, trying to forge the data in all ways. This no one can do for you. Whenever you find a problem and don’t know how to solve it, you should look for reliable and verifiable (plural) sources.
The wise guy do not need to submit a form via localhost, just click on inspect element, find the
form
and change the input you want... Voila, now we have a breached form sent by the sameHTTP_REFERER
.– Papa Charlie
Or still, he doesn’t even need to find a form, he can create his own, everything on the client side is the "client", if your page is published really do not see reason to protect the data so, if your page is private means that the account is the user, if the user is having access to data in the form that should be restricted, then this is a flaw in your development strategy (sorry for the sincerity), has data that really is not necessary to go to the front-end.
– Guilherme Nascimento
So there is no safe POST? everyone can be violated!
– Cassiano José
@Cassianojosé the POST is irrelevant, the problem is the data in the POST. If they do not have relevant data in the
<form>
no security problem, the guy can change theaction
to send to the devil, that still the devil will only receive data that does not affect security. AS I SAID: There is a way to pass data safely without having to send to the front end. Another thing if your page is PUBLISH, nor need to violate the Forms, just a BOT "download"that has the form and ready your data were compromised...– Guilherme Nascimento
...continuing, what will make it safe is what YOU EXPOSE on the front end, so the problem is not with Forms, BUT HOW YOU DESIGNED.
– Guilherme Nascimento