How to get the domain name of where a curl post came from

Please house,
I have a php file that can be called or posted data to from external website.

I want to know how to actually get the real domain name where the curl post was made to my php script.
So that I can run some codes or validation on the code.
A file in made a post via curl to

Apart from having to use $_SERVER[‘REQUEST_URL’] in post data, can i actually write some code in and get full domain of websites posting or calling it via curl?

Well, getting the domain is hard, but you can get the IP of the server that made the request from $_SERVER['REMOTE_ADDR']. You can haul that through a reverse DNS lookup and then maybe get the domain back, but this is not guaranteed at all, since it’s not required to set up and most people don’t bother.

1 Like

I know of ip, but is not unique like a domain name.
I think i should tell you what i intend to do.
I created a script that can be accessed using keys and secret word, then i want to ensure those keys are for a given domain name

Bcs is easy to use one keys and secretword for multiple domains but my intention is that only the domain assigned to that key can access it.
Validation is not the problem as i have a database to store secretkey and key and domain name.

So if is sent from a domain name rather than what is on database it throws an error.

So how can i get the domain or what should i do?

I created the script they are making the calls from. But if i put

$site = 'https://' . $_SERVER['SERVER_ÑAME'] . $_SERVER['REQUEST_URL'];

$postdata = array(
'sitename' = $site;

As post field data in the curl sending the scripts it can be edited and replace with static domain name.

Whats the best way to archive this?

Looks like a dead end archiving my aim. But could there be another way?

Yes, check the IP.

Is there a need since ip can be changed whereas the domain is still thesame? Unless the ip you are referring to are different from the browser ip or anything which is more of internet related than domain related

Well yes, but generally it doesn’t happen that often and also it’s only reliable thing to use. So it’s either that or no check at all.

1 Like

It does mean i have to wait for the user to make his first call so i can savw his domain ip to the databse and subsequent calls will be validated against the ip we have on file.
Note, am i to call this

In my own script that is loadtext.php or am I to call it in the users file?
Bcs anything in the users file can be edited, but things on loadtext.php is kept in my control server and user don’t have access to it.

You need to call it in your server. It gives you the IP of the client that is connecting to your server.

What would that achieve? If we don’t know you we’ll add you so next time you’ll be granted access? That basically grants everyone access, with redundant bookkeeping.

Not really like that, is not the type of if it doesn’t exist already add it, this will come through an initial setup process where we try your ip and once we get it we store it for subsequent use. If you didn’t go through that approval process then your call will always fail because it will never be on the database.

Since you confirmed ip is unique for each domain then i can use my brain to figure out the preliminary integration and on boarding process

Is that true? I’m not sure it is. I’m pretty sure that if registered for your service, you might find that their domain has multiple IP addresses, before you even get on to the difference between and and all the rest. Round-robin load balancing allows a DNS server to give out different IPs for the same domain, for example, or it did last time I was looking at stuff like this.

What if the connection comes from someone who has a dynamic IP address, and has a different one each time they connect? Or what if someone on a shared connection (shared router, for example) signs up for your service, but all the other people on that shared router do not?

IP addresses are rarely a good way to track users.

Wow am left off guard, kind of confused, looks like the internet world was designed to be exploited.

It does mean anyone with my Api keys can use it in any domain he wants.

And there is no way i can restrict an Api to a given domain name?

There is something i need to get clear here, is ip address for internet browsers like we do have to get list of users browsing our website?

Am talking about an ip or any identifier for a specific registered domain name not visitors internet protocol, so that i can know yes this script or file is actually coming from or is coming from

Thats all i am looking forward to

If you have a look at this site - - it will show you several IP addresses (A-records) which are all “”. You can look at other domain names on that web site and see what information they return. In this specific example, you see that there are five IP addresses that resolve to If you look up subdomains (www, support, for example) and they have their own IP addresses, which are different from the first list.

So if you want to restrict access by domain name, you can’t necessarily restrict it to a single IP address.

Perhaps you could describe in more detail the exact scenario - where are you expecting your users to connect from? I don’t know what your project does - is it reasonable to presume that users will connect to you from the physical machine that resolves to their registered domain?

I suspect that there is a reason that very few APIs use IP addresses as part of their authentication process.

Generally speaking, if you already have an API key, I wouldn’t bother with an additional check of IP/domain/whatever. Just log the use of API keys instead. If an API key is doing a lot of requests from a lot of different IPs you can be pretty sure the key has been compromised/shared and then you can just kill that key.

Out of all security measures IP limiting is one of the worst, as you’re slowly finding out.

That’s exactly what i am made to believe, so i had to rely on manual frequency check as to know how to apply a trotle.
Am just wondering how many Api keys i could monitor per time.
I just wish certain things works the way i imagine them, but am always faced with what works and what does not exist.

You are mostly right, is either via a frequency log or by Billing per call.
Which is my last two left options.
I hate logs, some logs are resources consuming, keep track of all calls including from bots.