Listen to this Post
This JavaScript snippet helps verify if traffic is coming from your legitimate domain, preventing 3rd party unauthorized calls. The technique is crucial for security against certain types of web attacks.
The Origin Verification Script
(function () {
if (window.opener) {
try {
if (window.opener.origin) { // opened by the same origin, so safe.
console.log("safe");
}
} catch {
// This window was opened via JS from an alternative origin.
// For safety, we will kill the opener.
window.opener.close();
}
}
var targetOrigin = "https://yourdomain.com";
new App({targetOrigin: targetOrigin});
}).call();
You Should Know: Implementation and Related Security Practices
1. Implementation Steps:
- Save the script as `origin-verifier.js`
– Include it in your pages: ``
– Set your domain in the `targetOrigin` variable
2. Server-Side Verification (Complementary to JS):
Nginx configuration to verify origin
if ($http_origin !~ "^https://yourdomain.com$") {
return 403;
}
3. CORS Configuration:
Apache .htaccess CORS settings Header always set Access-Control-Allow-Origin "https://yourdomain.com" Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS" Header always set Access-Control-Allow-Headers "Content-Type"
4. Security Headers:
Recommended security headers Header always set X-Frame-Options "SAMEORIGIN" Header always set X-Content-Type-Options "nosniff" Header always set Referrer-Policy "same-origin"
5. Monitoring Suspicious Activity:
Grep Apache logs for suspicious origins
grep -v "yourdomain.com" /var/log/apache2/access.log | grep -i "origin:" | awk '{print $1}' | sort | uniq -c | sort -nr
6. Linux Firewall Rule to block suspicious origins:
iptables -A INPUT -p tcp --dport 80 -m string --string "Origin: http://malicious.com" --algo bm -j DROP
7. Windows PowerShell to verify origins:
Get-WinEvent -LogName 'Microsoft-Windows-IIS-Logging/Logs' | Where-Object { $<em>.Message -notmatch "yourdomain.com" -and $</em>.Message -match "Origin:" }
What Undercode Say
Origin verification is fundamental in web security. While client-side JavaScript checks are valuable, they should be complemented with server-side validation. The provided script helps prevent malicious windows from interacting with your pages, but comprehensive security requires multiple layers:
1. Always implement CORS policies
2. Use security headers like X-Frame-Options
3. Monitor your logs for suspicious origin attempts
4. Consider implementing CSRF tokens for sensitive operations
5. Regularly audit your JavaScript includes for integrity
For enhanced security, combine this with:
Content Security Policy header example Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted.cdn.com;"
Remember that security is a multi-layered approach – client-side checks like this JavaScript snippet are valuable but shouldn’t be your only defense mechanism.
Expected Output:
A secure web application that verifies request origins both client-side and server-side, with comprehensive monitoring and logging of suspicious activities.
References:
Reported By: Activity 7320324939713060864 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
