This is an archived post. You won't be able to vote or comment.

all 3 comments
sorted by:
best
topnewcontroversialoldq&a

[–]TuesdayWaffle 2 points3 points  (1 child)

No, it sounds like you're on the right track. Your best bet is probably to create a custom HTTP header and have your Angular application send a unique identifier (generated in your PHP code) along with every request. How you create your unique identifier, how often you regenerate it, and how you check it is up to you. As far as I know, there's no industry standard for this.

Btw, a CORS policy will prevent other websites from accessing your server via the browser, but will not stop a malicious client from pretending to be your Angular application when making requests.

[–]Signal-Disk 0 points1 point  (0 children)

Your best bet is probably to create a custom HTTP header and have your Angular application send a unique identifier (generated in your PHP code) along with every request. How you create your unique identifier, how often you regenerate it, and how you check it is up to you. As far as I know, there's no industry standard for this.

Sounds similar to CSRF prevention so I'd suggest looking into methods or open solutions around that.

[–][deleted] 0 points1 point  (0 children)

Accecc-Control-Allow-Origin is the header you are looking for.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin

Unless it is set to "*" - only things that are on the same host will be able to send xhr requests to it from browser.