5

Some smartass people are using my api-centric web app to clone my service and make it appear like their own. Is there a way to make sure all ajax requests are for/from my website?

Sure I could use the referrer header but they could easily fake it.

Jürgen Paul
  • 14,299
  • 26
  • 93
  • 133
  • How are they cloaning it? The only way I can think of for you to secure it is to use ssl. – Frazell Thomas Sep 20 '12 at 04:35
  • possible duplicate of [How to secure JSON call without using a captcha](http://stackoverflow.com/questions/12444608/how-to-secure-json-call-without-using-a-captcha) – DCoder Sep 20 '12 at 04:41

1 Answers1

5

Set a cookie on the client when it hits your site, before it sends any Ajax requests.

Then validate the cookie when serving the Ajax.

Or alternatively you could make your Ajax requests POST only. This way they are subject to the same origin policy.

It will break the whole restful ideology though.

http://en.wikipedia.org/wiki/Same_origin_policy

Petah
  • 45,477
  • 28
  • 157
  • 213
  • security > ideology, though POST for this purpose bugs me too. – Tim M. Sep 20 '12 at 04:39
  • 1
    I guess jQuery's `JSONP` will work around this `same-origin` restriction and keep getting data as usual. – web-nomad Sep 20 '12 at 05:54
  • Is it possible to deny the `JSONP` requests? – Jürgen Paul Sep 20 '12 at 07:06
  • I am afraid not. The first option suggested here should work (Setting / validating) cookie. – web-nomad Sep 20 '12 at 07:38
  • @Hermione using the first method (a Cookie) will not be subject to the JSONP vulnerability. – Petah Sep 20 '12 at 07:42
  • The cookie solution might not work if the offending site loads yours in a hidden frame though… – Didier L Feb 05 '13 at 15:31
  • @DidierL see http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed if you need to prevent being framed. – Petah Feb 05 '13 at 21:10
  • I think those solutions might only be applicable when javascript is enabled and you set the cookie via javascript. I don't think even the `X-Frame-Options: deny` would block cookies set via the HTTP headers. – Didier L Feb 06 '13 at 09:45
  • @DidierL designing for the 1% of people with JavaScript disabled, is like designing for people who use IE 5. – Petah Feb 06 '13 at 20:52
  • The offending site could use some tricks to disable the JS within the iframe. On IE, just use ` – Didier L Feb 07 '13 at 08:18
  • @DidierL, ok so only set the cookie check if JavaScript is enabled. You could do this by either setting the cookie with JavaScript, or getting JavaScript to redirect to a unique URL to set the cookie. If you have a specific problem you are trying to overcome. Ask it in a new question rather than arguing your point in comments. – Petah Feb 07 '13 at 09:39