Is javascript-PHPcURL or similar client requests not cross-origin? is it insecure? Are there any preventive measures?

Previously, I thought that the PHPcURL simulation request also had cross-origin restrictions. If you have any questions about the sensitive data that requires permission access when designing an interface (for example, personal data that needs to be viewed after logon ). I will perform token detection. However, other common interfaces can be obtained directly, but only cross...

Previously I thoughtPHP cURLSimulated requests also have cross-origin restrictions.

Question

When designing an interface, you must have the permission to access sensitive data (for example, personal data that needs to be viewed after logon ). I will dotokenDetected.

However, other common interfaces can be directly obtained by adding a cross-origin header to prevent cross-origin calls. HoweverPHP cURLYes. Later I readeechen. As follows:

The same-origin policy prevents cross-origin from being a security mechanism in browsers. PHP's cURL can be seen as a browser (client) under the command line without any restrictions, just as you use file_get_contents to download things on the Internet as you wish, and the source.

Does the design seem unreasonable?JS AjaxCross-origin restrictions,PHP cURLIn this form, there is no cross-origin restriction. Why didn't I set cross-origin restrictions?PHP cURLWhat is the form of cross-origin restriction?

How can we prevent cross-origin calls in this form?

Solution

1. I have read this before when I wanted to be a NetEase cloud client.NetEase Cloud MusicThroughCSRF_TOKENPrevents cross-origin calls.
   PS: It seems that this solution can be obtained through web crawling.CSRF_TOKENAnd then perform cross-origin calls?

2. In addition, is there any solution to solve this problem?

Thank you for your answers!

============== 10-27 ==========================

Sorry, I got it wrong... I thought it wasPHP cURLWhat special processing is done. Thank you.South BirdIn fact, it is equivalent to directly accessing the specifiedURL, Naturally, there will be no cross-origin issues...

What if I want my interface to be inaccessible to the outside world?

On the intranet

You do not need to set anything for this.

Internet

1. SetCSRF_TOKENBut I checked some information about CSRF_TOKEN.CSRF_TOKENMainly to preventCross-Site Request ForgeryIs not used to do this... prevent carrying your authorization informationcookie:SESSIONIDAttack.

2. CheckREFER.

3. What else can I do?

I plan to useJWTGenerateToken, Each time, the request must carryToken(Including user information and permission control ).

Sorry. Thank you too.Gforce.

Reply content:

Previously I thoughtPHP cURLSimulated requests also have cross-origin restrictions.

Question

When designing an interface, you must have the permission to access sensitive data (for example, personal data that needs to be viewed after logon ). I will dotokenDetected.

However, other common interfaces can be directly obtained by adding a cross-origin header to prevent cross-origin calls. HoweverPHP cURLYes. Later I readeechen. As follows:

The same-origin policy prevents cross-origin from being a security mechanism in browsers. PHP's cURL can be seen as a browser (client) under the command line without any restrictions, just as you use file_get_contents to download things on the Internet as you wish, and the source.

Does the design seem unreasonable?JS AjaxCross-origin restrictions,PHP cURLIn this form, there is no cross-origin restriction. Why didn't I set cross-origin restrictions?PHP cURLWhat is the form of cross-origin restriction?

How can we prevent cross-origin calls in this form?

Solution

1. I have read this before when I wanted to be a NetEase cloud client.NetEase Cloud MusicThroughCSRF_TOKENPrevents cross-origin calls.
   PS: It seems that this solution can be obtained through web crawling.CSRF_TOKENAnd then perform cross-origin calls?

2. In addition, is there any solution to solve this problem?

Thank you for your answers!

============== 10-27 ==========================

Sorry, I got it wrong... I thought it wasPHP cURLWhat special processing is done. Thank you.South BirdIn fact, it is equivalent to directly accessing the specifiedURL, Naturally, there will be no cross-origin issues...

What if I want my interface to be inaccessible to the outside world?

On the intranet

You do not need to set anything for this.

Internet

1. SetCSRF_TOKENBut I checked some information about CSRF_TOKEN.CSRF_TOKENMainly to preventCross-Site Request ForgeryIs not used to do this... prevent carrying your authorization informationcookie:SESSIONIDAttack.

2. CheckREFER.

3. What else can I do?

I plan to useJWTGenerateToken, Each time, the request must carryToken(Including user information and permission control ).

Sorry. Thank you too.Gforce.

Php curl is equivalent to directly opening a website in your browser, so it is not a cross-origin.

You can perform an Interface Verification, for example, using JWT