39

In my project , I need to allow others send ajax requests to my script . So external requests may come from other websites and domains and maybe from browser extensions.
I've added simply these two lines at top of my script to let them do it: 

header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST');

Now my question is this : Is here any security consideration I've missed? does this simple solution make serious problems?
If so , what is the better solution?

Thanks for response.

Aliweb
  • 1,891
  • 3
  • 21
  • 44

4 Answers4

19

As mentioned above, anyone can send a request to you page at any time: so the major security concerns you need are to validate user input and only reveal information that is available for public consumption. But that applies to all scripts.

The two main issues you need to concentrate on (after validating user input) are:

  1. The problem you may have is users receiving the information into their scripts. Depending on the browser (and even between flavours of the same browser) there are different security rules that prevent them from getting the information back. A common solution to this is to provide information back as "JSONP" which is to wrap your return value as a function call that can be executed by the client. Here's a quick example (taken from http://www.geekality.net/2010/06/27/php-how-to-easily-provide-json-and-jsonp/). To further lock it down, you can insist that all queries are JSONP and reject anyone not sending the callback function.

.

<?php

header('content-type: application/json; charset=utf-8');
$data = array(1, 2, 3, 4, 5, 6, 7, 8, 9);
echo $_GET['callback'] . '('.json_encode($data).')';

?>
  1. Someone abusing your service by calling too regularly. Solutions for this are to trap the IP address and reject if you get too many calls from an IP address. Not foolproof, but it's a start.

Other factors to bear in mind:

  • cookies and other headers set by your script will probably be ignored
  • same applies to sessions
Robbie
  • 17,605
  • 4
  • 35
  • 72
  • Always beware user input! http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php – PieSub Nov 15 '12 at 00:12
1

Like zerkms said, if they just "go" to your php page, they will be able to see whatever it echos out. If it's possible (Not sure it is), it will also allow unwanted people to create their own forms even on a localhost and submit them via AJAX to get the responses they want .. If that's ok with you, and the information is ambiguous/harmless ... Then I suppose it would be "safe". It's NOT ok method to get/transfer sensitive information

Zak
  • 6,976
  • 2
  • 26
  • 48
  • well the information this script provide and `echo()` are not *sensitive*. Well I want to know if there is a better solution – Aliweb Nov 14 '12 at 23:22
  • If it's not "sensitive", and it's possible, in theory I don't see a "better" solution other than server-side communication where there is no client-side attainment of information. Such as an ajax call that possibly calls to a php file on your OWN server, said php file does the work, contacts OTHER server, and returns results, and as far as the client is concerned, everything happened on your end, and there was no third party involved – Zak Nov 14 '12 at 23:37
1

This worked perfect for me.

header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Headers: X-API-KEY, Origin, X-Requested-With, Content-Type, Accept, Access-Control-Request-Method");
header("Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE");
header("Allow: GET, POST, OPTIONS, PUT, DELETE");
$method = $_SERVER['REQUEST_METHOD'];
if($method == "OPTIONS") {
    die();
}
Jean Paul Beard
  • 337
  • 3
  • 3
0
private function set_headers() {
    header("HTTP/1.1 ".$this->_code." ".$this->get_status_message());
    header("Content-Type:".$this->_content_type);           
    header("Access-Control-Allow-Origin: *");
}
Tunaki
  • 132,869
  • 46
  • 340
  • 423
paras
  • 9
  • 1