1

I have a public php site. It features JSON webservices, which I use for jQuery autocomplete. The web site is public, so are the webservices.

However, I want to restrict the webservices so they can only be called from the corresponding website (ie HTML pages loaded from that web site).

What would be a good solution for that?

Restriction in this context means: My webservice (e.g. fooservice.php) is public. As the user is not authenticated I wonder how I can check if it is called from a page of my site (e.g. mypagewithautocomplete.php )

https://stackoverflow.com/a/38614140/356726 is a useful answer (+1), but only avoids AJAX usage from another browser. It does not prevent just reading the JSON result in the browser.

Community
  • 1
  • 1
Horst Walter
  • 13,663
  • 32
  • 126
  • 228
  • 1
    What do you mean with 'restrict'? That is a wide range. Basically, if you want to prevent the usage in other scripts, you should get in touch with CORS: https://de.wikipedia.org/wiki/Cross-Origin_Resource_Sharing – eisbehr Jul 27 '16 at 13:18
  • You can generate a token upon loading the web page, store it in the HTML, store it in the DB, have the autocomplete send the token with every request, validate token against the DB, and even expire the token after 12 hours or whatever. – MonkeyZeus Jul 27 '16 at 13:19
  • Checkin on CORS and header as described below, thanks so far https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS – Horst Walter Jul 27 '16 at 13:27

2 Answers2

2

Add to your webservice this:

header('Access-Control-Allow-Origin: yourdomain.com');

More info

That would avoid any intent of using your WS with Ajax calls.

Would this prevent me from CURL'ing OP's web service?

No, CURL can fake any header. But with that header nobody could use your WS directly. If theres anyone with enought time to make a gateway with CURL to use your WS in their website you can detect that easily for their massive usage of your WS.

Martin
  • 1,141
  • 10
  • 23
  • Would this prevent me from CURL'ing OP's web service? – MonkeyZeus Jul 27 '16 at 13:20
  • No, CURL can fake any header. But with this header nobody could use your WS directly. If theres anyone with enought time to make a gateway with CURL to use your WS in their website you can detect that easily for their massive usage of your WS. – Martin Jul 27 '16 at 13:24
  • 1
    I think your comment is worth mentioning in your answer so that people don't think a CORS header is an air-tight solution. – MonkeyZeus Jul 27 '16 at 13:35
0

Here is what I did. As described in Pass request headers in a jQuery AJAX GET call it is possible to pass a request header to my Ajax request.

I check for this header value and deny access when it is not present. It is a minimal and by far not perfect means, but does its job. I have combined it with the recommended header ('Access-Control-Allow-Origin: yourdomain.com'); . In combination it seems to be sufficient for now.

  1. no cross domain AJAX access
  2. no browsing of JSON data by just entering the URL
Community
  • 1
  • 1
Horst Walter
  • 13,663
  • 32
  • 126
  • 228