Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi monks,

I am trying to adapt 3 perl scripts to only allow https connection. So far I test to see if the $ENV{'HTTP_REFERER'} match /^https:/ but I read in some places that you should not trust $ENV{'HTTP_REFERER'}. Is there another way to check for https? Should I trust $ENV{'REMOTE_ADDR'} to get the IP address or can that be faked too?

Thank you for your help.

Replies are listed 'Best First'.
Re: Another way to find http referrer
by JavaFan (Canon) on Feb 27, 2012 at 22:44 UTC
    Even if you can trust the referer, it's only going to tell you that the previous request used https, not the current one.

    Isn't it easier to configure the HTTP server to only accept https connections?

    REMOTE_ADDR can be faked, but is harder to do. But that doesn't give you any information whether the request was using https or not.

    As a general advice, don't roll your own security. Leave it to the experts, and do it at the right layer.

[reply]

      Just to add: browsers generally don't send a referrer if they are coming from a secure site (https) to an insecure one (http)

[reply]
      JavaFan, these scripts are on shared server and I have other scripts which must be http. Can I do something with .htaccess or something to only act on my 3 scripts? Thank you.
[reply]

        A simple solution: configure your web server to serve files for your https:// URLs from a different point in your filesystem than your http:// files. For instance, your http files might be under /var/www/data and your https files under /var/www/data-ssl. Then neither set of files can be accessed through the other port.

        Edit: On a second look, I noticed you said you're on a shared server, so maybe you can't change the web server config. In that case, the $ENV{HTTPS} or $ENV{SERVER_PORT} variables may be of use to you, at least on some servers.

        Aaron B.
        My Woefully Neglected Blog, where I occasionally mention Perl.

[reply]
        Can I do something with .htaccess or something to only act on my 3 scripts?
        I don't know. Probably. But you'd have to be at the Apachemonks for that.
[reply]
Re: Another way to find http referrer
by derby (Abbot) on Feb 27, 2012 at 23:48 UTC

    Configuring at the apache level is the most secure route ... but the following could be used as the base for redirecting to https. Hopefully all your requests are GETs. If not, I look forward to your next question on why you lose POST params on a redirect. 

    #!/usr/bin/perl

use CGI;

my $cgi = CGI->new;

my $proto = $cgi->protocol();

print $cgi->header,
      $cgi->start_html( 'protocol test'),
      $cgi->h1( 'proto is ' . $proto ),
      $cgi->end_html;

    [download]

    -derby
[reply]
[d/l]
      derby, I am using other CGI module in my script but can change. I look for 'protocol()' in CGI at cpan but not on the page and find 'https()' instead, another one not known. Then I test $cgi->https() and $cgi->protocol() and 'https()' return nothing, but 'protocol()' return 'https'. Another way. Thank you.
[reply]

Back to Seekers of Perl Wisdom