"Send HTTP Post": $_SERVER['HTTP_ORIGIN'] is empty?

API Q&A
#1

Hi,

I have a campaign sequence which send an HTTP Post to our own API which then triggers actions at third party systems.

However: I grand api access only to specific origins via

header("Access-Control-Allow-Origin: ".$http_origin);

Problem:

It looks like Infusion doesn’t provide $_SERVER[‘HTTP_ORIGIN’] value?

Due to this, I cannot “authenticate” Infusion to access our api (to white list “appname.infusion.com”).

Is my observation correct? Any suggestions on how I could solve this?

Best,
Martin

P.s.: Our API once denied Infusion access to itself: Now I’m under the impression Infusion doesn’t POST at all anymore??

UPDATE: No, it still POST to our API. I took a couple of minutes, though…

#2

Hmmm… The API calls are working now. Despite that I cannot see the http_origin.

So, while the initial problem is solved, I’m still interested to understand what may be the reason for an “empty” http_origin…

Ideas appreciated.

Best wishes,
Martin

#3

You’re trying to climb more than one tree if you intend to rely on origin. It is not universally supported and cannot be relied 100%. In other words, not all browsers send it with requests. Also, the same issue, in regards to security and identity, is involved. Everything HTTP is text and can be faked. Also, if using PHP and if you don’t have origin setup as a system var in your PHP configuration, the server will not report it even if it does come in.

Finally, this is an Infusionsoft forum and origin is a browser/server matter. You might also try checking your server or browser documentation as well.

#4

Hi John,

thx for your answer!

I will reconsider my approach.

Best,
Martin