PHP 引荐来源网址:如何确保请求实际上来自它应该来自的地方
我想在其他“批准”的域上放置一个返回我的网站的链接。当他们单击该链接时,它会转到一个检查引荐来源网址 ($_SERVER['HTTP_REFERRER']) 的页面,以确保他们来自被批准拥有我的链接的域。这可能是欺骗性的,那么我如何确保点击实际上来自批准的域?
I would like to put a link back to my site on other "approved" domains. When they click on the link it goes to a page that checks the referrer ($_SERVER['HTTP_REFERRER']) to make sure they came from a domain that is approved to have my link. This can be spoofed so how can I make sure the clicks are actually coming from the approved domains?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你做不到。你无法阻止推荐人受到攻击。
如果多个站点之间存在协作,则可以采用替代方案。例如,其他站点中到您站点的链接可以将令牌作为 URL 中的参数传递,该令牌只能使用一次,然后您可以验证该令牌。
多种验证策略是可能的。您的站点可以联系其他站点并询问传递的令牌是否有效,或者您可以使用带有令牌的签名作为随机数,这样您就不必联系其他站点。
You can't do it. You can't prevent the referrer from being tempered with.
An alternative would be possible if there's collaboration between the several sites. For instance, the links in the other sites to yours could pass a token as a parameter in the URL that would be usable only once and which you could then validate.
Several validation strategies would be possible. Your site could contact the other site and ask it if the passed token is valid or you could employ a signature with the token acting as a nonce so you didn't have to contact the other site.