I wish to discover if the incoming HTTP_REQUesT call from a third party website is from the listing of domain names which i defined. I understand that HTTP_REFERER may be used to discover in which the third party domain is but it's not secure enough. peopel can spoof it or telnet fake it.

so, what about HTTP_ORIGIN? could it be sent all browsers? could it be secure?

Also, can people fake the REMOTE_ADDR inside a HTTP_REQUEST call?

thanks.

HTTP_ORIGIN is neither sent by all browsers nor could it be secure.

Nothing sent through the browser can be considered safe.

Everything within the HTTP request could be photoshopped.

HTTP is really a plain-text protocol. The ENTIRE request header/physiology could be photoshopped to express anything you like.

what about HTTP_ORIGIN? could it be sent from all browsers? could it be secure?

It isn't even indexed by the PHP manual. I am confident nothing can compare to that sent through the browser whatsoever. My prediction is the fact that this is an optional functionality in certain servers and hang using a reverse DNS research. That We believe means it's not so reliable whatsoever, even when present.

Also, can people fake the REMOTE_ADDR inside a HTTP_REQUEST call?

No. The remote address is really utilized by the IP protocol. You are able to fake it for single IP packets, however it means you will not have any reactions, and most likely can't even obtain a TCP connection setup. So for HTTP, it's not necessary to be worried about Ip spoofing. Except obviously that demands could be routed via a proxy server, but that needs cooperation from somebody that is legitimately by using their address.