How to identify whether http request is from browser or from proxy server (or server)?
I have a server that takes http request and return json data. How does my server know if the http request is from a client browser and not from a server? especially if traffic may proxy from a client to another server and make a call to my server.
I know i can check the http header to know user-agent, remote-addr..etc but it is not secure. People can fake the http request header.
What other tricks I can do to identify the incoming request?
There is no way for you to know. “Anonymous proxies” will not have the
X-Forwarded-For header. Some IRC servers will port scan clients as they connect looking for common proxy server ports like 8080, 3128, ect. You could hack up a tool like YAPH to look for proxies on people connecting to you. But it won’t pick up phpproxy, or proxies running on strange ports.
This is an up hill battle, and its why hackers use them. If this is a problem, perhaps you should reevaluate your business model or how your application functions.
If you’re able to check for headers, you’ll be able to see X-Forwarded-For, which will tell you the ip of the “real” request. Legitimate proxies utilize this header.
For browsers, User-Agent header is what you’ll be interested in. Popular browsers and crawlers will utilize this header.
That said, those headers can be faked or omitted. There is no single way to determine the “real” factor of incoming requests. It’s best to incorporate as many headers, patterns and behaviors to determine legitimacy of a request.