Well, the question says it all, i am wondering, how secure is a comparison like:
if ($_SERVER['SERVER_ADDR'] === $_SERVER['REMOTE_ADDR']) {
// yeah, it's the server, go ahead do this.
}
The reason why i am asking is to identify some web api calls that are coming from the server itself.
I know that the $_SERVER['REMOTE_ADDR'] can be spoofed to run a request but not to get the result back from it. If this is the case, when talking about Rest for example, this rises no problem for GET requests for instance, but how about DELETE requests, where there is no need to parse the response from the server.
If the above statement is correct, means you should't trust the aftermentioned comparison?
What are the alternatives (let's exclude CLI from here) ?
The best solution is using a secure password.
You won't have to worry about faked ip addresses or other possible insecure check that way, as long as your check only allows correct passwords.
if ($_GET['password'] === 'my_password') {
// code
}
Consider using a secure compare function to avoid timing attacks.