Prevent facebook canvas app from being accessed directly/outside of facebook

I'm developing a canvas a开发者_运维知识库pplication for facebook and I want to prevent users from accessing the application directly from the canvas URL (as much as possible, I realize this might not be possible 100% of the time) and force users to access the app from apps.facebook.com/foo.

I'm developing the app with php, and my first thought was to check the $_POST array for 'signed_request,' which is the value passed from facebook to the canvas app, and send a redirect if this value was not present but it appears this value is only passed once and when users click different links in my application the 'signed_request' parameter is not passed again.

Can I reasonably trust 'HTTP_REFERER' to verify users are accessing the application from http://apps.facebook.com/foo and redirect users when HTTP_REFERER does not equal that value?

EDIT: I've actually just noticed that on the original request for the app at apps.facebook.com/foo the HTTP_REQUEST header is equal to 'apps.facebook.com/foo' but when the user clicks a link in the app HTTP_REQUEST becomes equal to the canvas url.

I would recommend that you check the signed_request parameter and if it is valid, use a PHP session variable to track whether this is a Facebook-based request. It will not prevent someone from using your app on Facebook first then going to the app directly however.

An additional check you could do would be to use javascript to check

window == window.top

Which should tell you if you are in a frame or not.

Using cURL you can simulate any request really. So no you can never be completely safe checking the REFERER. But to some degree it does give you protection against people just copying the url and accessing it directly