$_SERVER['HTTP_ORIGIN'] doesn't work

Question

When I use $_SERVER['HTTP_ORIGIN'].

echo $_SERVER['HTTP_ORIGIN'] ;

Return Notice: Undefined index: HTTP_ORIGIN in D:\xampp\htdocs\safe\test.php on line 12

What is Wrong?!

`What is Wrong?!` Using HTML snippets to display PHP code is wrong. — Praveen Kumar Purushothaman, Dec 19 '16 at 21:18
It just mean that the `Origin` header has not been provided when the page was requested. — Federkun, Dec 19 '16 at 21:19
what are you using it for? perhaps we can suggest an alternative approach. — , Dec 19 '16 at 21:21
It's because your browser not send origin request. so the php not send response the origin. — FSodic, Jan 12 '21 at 00:58
use `if(isset($_SERVER['HTTP_ORIGIN'])){ echo $_SERVER['HTTP_ORIGIN']; }` — FSodic, Jan 12 '21 at 00:59

Praveen Kumar Purushothaman · Answer 1 · 2016-12-19T21:21:24.237

8

The HTTP_ORIGIN is neither sent by all browsers nor it is secure to trust. You should really use:

echo $_SERVER['HTTP_REFERER'];

The issue happens to you because that particular browser hasn't set the origin. You don't trust HTTP_REFERER as well. It is as insecure as the former.

edited Dec 19 '16 at 21:21

answered Dec 19 '16 at 21:19

Praveen Kumar Purushothaman

160,666
24
190
242

6

as long as you dont trust HTTP_REFERER as it is set by the browser. can be faked, or often emptied by various software for security – Dec 19 '16 at 21:20
More Info Here about it http://stackoverflow.com/questions/4566378/how-secure-is-http-origin – chop62 Dec 19 '16 at 21:21
@Dagon I demand an upvote! `:P` *just kidding, as this is as bad as asking money to strangers* – Praveen Kumar Purushothaman Dec 19 '16 at 21:23
@Dagon Why extra software dude? Why not Firebug, Developer Tools? They are capable of emulating, simulating, confusing, collapsing and finally, crashing the server. – Praveen Kumar Purushothaman Dec 19 '16 at 21:24
I meant some software a user may run may automatically empty it. i have seen various "internet security" software people run on their PC do this. – Dec 19 '16 at 21:27
@Dagon Even I am doing it. OWASP? TamperHTTP? There are 1000s. But what I meant was, even the Chrome F12 Dev tools are capable of doing it. – Praveen Kumar Purushothaman Dec 19 '16 at 21:28
1

i think we agree. – Dec 19 '16 at 21:31
I use a SoapClient to another server and I want know Who's request – Dec 20 '16 at 09:29
@smko SOAP Client huh? You need to provide more information dude. – Praveen Kumar Purushothaman Dec 20 '16 at 14:04
I want to each site, which will be submitted information related to the site . But I know exactly the same site that will be submitted, and it is not Api someone else ? – Dec 20 '16 at 20:31
3

@PraveenKumar Please review this answer, or even delete it, as it's misleading. – Pedro Lobito Feb 21 '18 at 09:50
@PedroLobito Sure, thanks for getting this to me... `:)` – Praveen Kumar Purushothaman Feb 21 '18 at 10:01
1

@PedroLobito I guess either if you can update the answer as per the latest standard, or I'll just delete it... :) – Praveen Kumar Purushothaman Feb 21 '18 at 10:05
1

@PraveenKumar There never was a secure way of using `HTTP_REFERER` as it can be easily spoofed. I'd delete the answer. – Pedro Lobito Feb 21 '18 at 23:36

$_SERVER['HTTP_ORIGIN'] doesn't work

1 Answers1

Linked