• 0

HTTP origin attribute - not appearing

Asked by eliokh,

 Share

Question

Proficient

eliokh

Posted
Posted

Hello,

 

I am trying to read the HTTP header Origin attribute from my web application in order to avoid some CSRF.

 

It seems the origin is not part of the request header (checked from chrome console).

 

Is the Origin only set in HTTPS? (as I have read that referer is not set in HTTPS)?

 

Is there any server support for this?

I am testing on an old jdeveloper OC4J server.

 

Any hint?

 

Should the same application deployed in weblogic have the Origin attribute in its header?

 

thanks in advance

Link to comment
Share on other sites

3 answers to this question

Recommended Posts

  • 0
Grand Master

Seahorsepip Veteran

Posted
  • Veteran
Posted

Should work without https :/

Also it's not supported by all servers but most up to date apache servers should support it.

 

http://stackoverflow.com/questions/4566378/how-secure-http-origin-is/8087233#8087233

 

This might help you a bit?

 

And keep in mind: HTTP is a plain text protocol. The request header/body structure can be faked to anything you want. So using this on http is like using a lock on your backdoor and keeping your front door open...

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.