Adding better security than HTTP_REFERRER

I have an html script that calls a PHP page, which returns database info as a JSON array.

I do not want people to look at my source, see the name of the php file, and run it from their browser to see the contents of the JSON array.

I put code in the php file that if the referring site is NOT from the html file’s directory to exit and not process the request.

This works great - the HTML file calls the PHP and the data returns, but if you call the PHP from any other browser it exits without exposing any data (afaik)

However, I know that HTTP_REFERRER can be easily spoofed - Does anyone know of a way that I can have the PHP file know for sure where requests are coming from, or better ONLY allow requests from a specific URL?

Maybe include a session token?

I have a music player in HTML that calls a PHP file that accesses a DB and returns the URL of mp3s that play in a player. I didn’t want people to run the php script and have a full list of the mp3s on my server. Not really that big of a deal, it is all non-RIAA liberated music anyway - Also just trying to learn.

The way the player works, you can not view source and see the JSON data - it stays in variables. I really do not understand how all of this works 100% - but it seemed that if the PHP would only run if called from the same URL as the HTML, then no-one could run the PHP - only an HTML file on the same server at itself.

Would it be possible to see the JSON data in the HTML doc that is running beyond view source?

Thx Felgall - Capturing audio streams is very easy to do. Anything you hear on your computer can be captured - so people will get the mp3s if they want them.

I have gotten the key system working (thx! PHP_Adam) - I now only need to update the key file on my server on an interval.

I guess there is no way to prevent people from running the php scripts - I though there would be a way to have a php only run if the HTML that calls it is on the same (or specified) server.

Not sure about checking IP - encoding and decoding the JSON results is intriguing.

If you use proper streaming software on the server then it shouldn’t be possible for anyone to actually download a copy unless they record the streamed file again on their system. They’d then need to figure out how to get their recorder software to record the streamed info rather than recording from a mic or aux in input.

You can do layer upon layer upon layer of obscurity. But it is not going to make it any more secure. Because the data will get to the user regardless of what you do. If you do not want user to have this data, do not put it online. Period. So to answer all your questions…no. But I am curious, if you are showing the user this data already why are you concerned with not letting them see the raw JSON?

wow awesome - thanks for the quick replies - Another issue I see - is that someone could copy my source - host it on their own site with new css and run a clone of my player and stream my mp3s.

I like the idea of sending a key - The way I can see to do this is to set up a cron scrip to write a random number to a file daily, and have a piece of inline php in the HTML doc write in the key to the PHP request, and the PHP would read the same file looking for a match - So as long as the location of the file with the random file is kept secret - My site could only be hijacked for one day. Is this the best way to do the key method?

As far as session tokens - wouldn’t a spoofer be able to send a session variable as well? I will research this more - I think I am missing something here.

Immerse: I am not going to have people log in. I am as much as anything trying to make a good faith effort to prevent people from downloading the mp3s that I am streaming. I realize that if someone is serious, they will find a way.

Server side script is secure, no? People can’t see the contents of inline PHP can they?

Greg, if you don’t want people to look at your code, don’t put it on the Internet.

Using stuff like Firebug’s Net console, or Live HTTP Headers, I can view all traffic and headers between my browser and your server.

If you want to stop people stealing your MP3’s, then you’ll have to build some sort of login system, and pass everything through a session check (including the MP3’s themselves).

HTTP_REFFERER is not security, its far from it. It is sent from the users computer to your server, this means that the user can change the value to what they want. I could bypass your “security” with one line in PHP_Curl, so you asked a good quesiton.

The easy’ist way is to provide a SESSION TOKEN when they visit the valid calling page, then on the JSON script check that the TOKEN is still valid.

You could also on the calling page, send a “key” via the URL request and check that its valid. This “key” changes every 24 hours, so if someone does game your system it will be a bit more of a pain.

You could run an IP check (though not advisable).

Encode the JSON and Decode it on calling page?

The best solution is not to secure the data, as everything is breakable and your just delaying the inevitable, if someone wants it and are determined they could get it.


This is incorrect, the only need to visit the homepage (calling page) give them the session, then check it on the JSON request.

I would need to have them login for session variables to work, no?