I understand that any client/hacker can create any header. But the value for that header is another matter, isn’t it?
The idea I’m fleshing out (and readying to test in my dev environment) is two steps:
-
All my hx-get requests include a custom header via hx-headers – say, “reallyfromHTMX” – and they set this header equal to some secret key obtained from a .env file on my server.
-
All the htmx-triggered Views look for the “reallyfromHTMX” header and check that it’s set to the expected secret key value (per that same .env file on the server).
Anyone can send a GET with that “reallyfromHTMX” header in it, yes. But how can they discover what the secret key value is? The only time it’s used is a GET request that’s fully internal to my server.