Detailed explanation of php apache opening cross domain mode process

2021-12-12 08:13:49
OfStack

apaceh configuration:


<VirtualHost *:80>
  ServerAdmin xxx@qq.com
  DocumentRoot "C:/htdocs/demo"
  ServerName dev.dd.cn
  ##ErrorLog "logs/dummy-host.localhost-error.log"
  ##CustomLog "logs/dummy-host.localhost-access.log" combined
  <Directory "C:/htdocs/demo">
    #Require all denied
    Header set Access-Control-Allow-Origin *
  </Directory>
</VirtualHost>

PHP file settings:


<?php
   header("Access-Control-Allow-Origin:*"); 
   // Processing request output data 
?>

Configuration means that any domain-initiated request can obtain the data of the current server. Of course, this is very dangerous, malicious sites may attack our server through XSS. Therefore, we should try our best to limit the security sources. For example, the following settings make it possible for only the domain http://feng. com to access the server's API across domains.

httpd. conf:


<VirtualHost *:80>
  ServerAdmin xxx@qq.com
  DocumentRoot "C:/htdocs/demo"
  ServerName dev.dd.cn
  ##ErrorLog "logs/dummy-host.localhost-error.log"
  ##CustomLog "logs/dummy-host.localhost-access.log" combined
  <Directory "C:/htdocs/demo">
    #Require all denied
    Header set Access-Control-Allow-Origin http://feng.com
  </Directory>
</VirtualHost>

In the PHP file:


header("Access-Control-Allow-Origin:http://feng.com");