$_SERVER['HTTP_ORIGIN'] doesn't work

About

Asked 19/12, 2016 at 21:15 Answered 19/12, 2016 at 21:19

When I use $_SERVER['HTTP_ORIGIN'].

echo $_SERVER['HTTP_ORIGIN'] ;

Return Notice: Undefined index: HTTP_ORIGIN in D:\xampp\htdocs\safe\test.php on line 12

What is Wrong?!

Unterwalden answered 19/12, 2016 at 21:15 Comment(5)

What is Wrong?! Using HTML snippets to display PHP code is wrong. – Loar 19/12, 2016 at 21:18

It just mean that the Origin header has not been provided when the page was requested. – Faradmeter 19/12, 2016 at 21:19

what are you using it for? perhaps we can suggest an alternative approach. – Moire 19/12, 2016 at 21:21

It's because your browser not send origin request. so the php not send response the origin. – Eye 12/1, 2021 at 0:58

use if(isset($_SERVER['HTTP_ORIGIN'])){ echo $_SERVER['HTTP_ORIGIN']; } – Eye 12/1, 2021 at 0:59

The Origin header isn't sent by all browsers.

Depending what you're trying to do, another option is to use the Referer header:

echo $_SERVER['HTTP_REFERER'];

By the way, note that request headers are ultimately controlled by the user, so can't be fully trusted.

Loar answered 19/12, 2016 at 21:19 Comment(16)

as long as you dont trust HTTP_REFERER as it is set by the browser. can be faked, or often emptied by various software for security – Moire 19/12, 2016 at 21:20

More Info Here about it https://mcmap.net/q/18434/-how-secure-is-http_origin – Caresa 19/12, 2016 at 21:21

@Dagon I demand an upvote! :P just kidding, as this is as bad as asking money to strangers – Loar 19/12, 2016 at 21:23

@Dagon Why extra software dude? Why not Firebug, Developer Tools? They are capable of emulating, simulating, confusing, collapsing and finally, crashing the server. – Loar 19/12, 2016 at 21:24

I meant some software a user may run may automatically empty it. i have seen various "internet security" software people run on their PC do this. – Moire 19/12, 2016 at 21:27

@Dagon Even I am doing it. OWASP? TamperHTTP? There are 1000s. But what I meant was, even the Chrome F12 Dev tools are capable of doing it. – Loar 19/12, 2016 at 21:28

i think we agree. – Moire 19/12, 2016 at 21:31

I use a SoapClient to another server and I want know Who's request – Unterwalden 20/12, 2016 at 9:29

@smko SOAP Client huh? You need to provide more information dude. – Loar 20/12, 2016 at 14:4

I want to each site, which will be submitted information related to the site . But I know exactly the same site that will be submitted, and it is not Api someone else ? – Unterwalden 20/12, 2016 at 20:31

@PraveenKumar Please review this answer, or even delete it, as it's misleading. – Natter 21/2, 2018 at 9:50

@PedroLobito Sure, thanks for getting this to me... :) – Loar 21/2, 2018 at 10:1

@PedroLobito I guess either if you can update the answer as per the latest standard, or I'll just delete it... :) – Loar 21/2, 2018 at 10:5

@PraveenKumar There never was a secure way of using HTTP_REFERER as it can be easily spoofed. I'd delete the answer. – Natter 21/2, 2018 at 23:36

How is either header "insecure"? Sure, they can be spoofed by a client, but they can't be overidden by browsers as they are forbidden headers, which is good enough for many use cases. This answer needs to clarify that. – Bioscope 17/10, 2022 at 18:57

@Bioscope You know that the answers are licensed under CC BY-SA. You can very much edit and update it and I would have happily accepted it rather than complaining. It is this quality that makes a better leader. Anyway, thanks, I've updated it. – Loar 17/10, 2022 at 23:6

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags