: How to verify that someone owns a website? I'm trying to think of ways to, as securely as possible, verify that a user owns a website that they claim to own. Here are some ways I've seen:
I'm trying to think of ways to, as securely as possible, verify that a user owns a website that they claim to own.
Here are some ways I've seen:
Upload an obscurely-named HTML file to the root directory with given contents
Include a meta tag or other comment somewhere in the home page source
Send an email to an address @domainwearetryingtovalidate .tld with a verification link
Check a CNAME or TXT record
Check WHOIS records
Physically validate by calling or emailing the support line, manually updating records
And here are the problems with those methods, in order:
Some website configurations may not allow for simply uploading a file to the root
Poor site design might allow a user of that site to add this meta tag themselves
Websites which provide email services make this useless; take gmail.com for example
That's too complex for most small website owners to figure out how to do
Those are public; anyone can claim to be whoever. Not to mention most often inaccurate.
Huuuuge waste of time
Are there any other ways to verify that a user on your site owns a particular website? Of the methods I listed, which of these are best and worst? I ordered them from best to worst in my own opinion, but I'd like to see what others think as well.
I plan on implementing one or more of these in PHP.
More posts by @Sims2060225
3 Comments
Sorted by latest first Latest Oldest Best
The microformats site is down now as I write this, but the Google cache is available. This is a solution for you:
microformats.org/wiki/RelMeAuth
Uploading an obscurely named file is the way to go.
You wrote the drawback is that they may not be allowed to upload a file to the root. Well in that case it means they don't own the website, which is what you're trying to find out.
I definitely think
Upload an obscurely named html file to the root directory with given contents
is the best way to go. I've actually had to do this once. And I don't think many website configurations prevent you from doing this.
If you're really concerned about this, why not allow all (safe) options?
Regarding your comment:
Yes but with MVC systems (such as codeigniter), it can be a hassle to figure out how to access a physical file which isn't a part of the main system
In these rare cases, let those admins go with the CNAME / TXT records or call them :-)
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.