Expected hostname v3 - Githubissues

sepiariver / recaptchav2

Google's ReCaptcha V2 + V3 for MODX CMS: https://sepiariver.com/modx/recaptchav2-supports-recaptchav3/

https://sepiariver.com/

GNU General Public License v2.0

21 stars 15 forks source link

Expected hostname v3 #34

Closed devlanda closed 5 years ago

devlanda commented 5 years ago

https://github.com/sepiariver/recaptchav2/blob/2ee12f74a065a19cc75e4cf137216d5f1b24ae22/core/components/recaptchav2/elements/snippets/recaptchav3.snippet.php#L78

I am wondering. Could we improve the recaptchav3 snippet by replacing $_SERVER['SERVER_NAME'] with $_SERVER['HTTP_HOST']?

The last one uses the actual domain of the request: https://stackoverflow.com/a/13773126

sepiariver commented 5 years ago

Thanks @devlanda you're right about the $_SERVER variables. However those are easily spoofed, and my intention was to use parse_url($modx->getOption('site_url'), PHP_URL_HOST). In the end it doesn't matter much for security purposes. The best way to secure your ReCaptcha implementation is to use Google's domain validation via the ReCaptcha admin console.

I'll flag the MODX-y input for next patch release.

sepiariver commented 5 years ago

Reference: https://security.stackexchange.com/questions/149324/why-bother-validating-the-hostname-for-a-google-recaptcha-response

devlanda commented 5 years ago

Thank you @sepiariver. I have tested your commit, the MODX-y input works well.

sepiariver commented 5 years ago

Thank you @devlanda