Restrict web api to web server

Question

Currently when I want to get data from my database through ajax I use an external php file which just grabs the data from the database with mysqli and echoes the results and sends the data to ajax.

I now want to change that into a more effective solution. I thought I would first change it so that the php file outputs json data for future projects and easier data managament. But I don't want everyone else to be able to access this data directly other than through my website. And since you can see the ajax connection by inspecting the website it's really easy to find out.

I don't want it to become a place where everyone can just access the raw json data and build their own applications/websites from.

What other solutions are there? Only my web server should be able to access it.

score 1 · Answer 1 · answered May 02 '13 at 15:05

1

Estabilish a session when the user access your site
Check the session before answering any AJAX call

Note, this isn't bombproof, but only a starting point.

answered May 02 '13 at 15:05

STT LCU

4,348
4
29
47

How will this prevent any user to access the json results? I only want my web server to access it. – Oskar Persson May 02 '13 at 15:53
Set it up so only your server has the session. Random people can access it all the day long and will simply be rejected. – Xeoncross May 02 '13 at 15:56
How do I give the server the session and "send" it with the ajax call? – Oskar Persson May 02 '13 at 15:58

score 0 · Answer 2 · edited May 23 '17 at 11:49

There's no way to hide json data from a user who is allowed to use the document which requesting it. In other words: you cant really deny the inspection of the data if arrived to browser by an allowed way (using your site normal way). However, you can make leeching difficult. If you make the leeching the process longer than time needed to build a self-made database, you win.

Reduce the amount of data you sending in one request: don't send more data than you actually displaying.
Split data to paged list and detail views. So for accessing the complete data, the leecher has to make lot-lot requests. You can then limit calls/period/user (using session).
Identify users, if your project allows it. There are many methods to reduce the unwanted registrations. Also, you can make the data access limiting (above) more efficient (you can connect the counters to the user).
You can use key-based encrypting. You can find a possible solution here: Simple Javascript encrypt, PHP decrypt with shared secret key Obviously, the browser will decrypt the data, therefore you need send the key to it. That means: the process will be reproducible, however takes much more time than a simple inspection. You can variate the parameters of encryption to make it even more difficult.

You can do some additional steps to make scripted leeching a bit more difficult. However, these will not make the browser-inspection harder:

Check referrer you got from request header. It should match to your document's url.
Don't send anything if the X-Requested-Width header doesn't set to 'XMLHttpRequest' ($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'). This is safe, all browser sending it on ajax requests.
You can add an unique, one-time parameter to the ajax url. You can pass the parameter (or the whole url) by PHP, using simple "script" tags (var param='uniqparam123';). You will need a fast solution to temporary store the sent keys for a while. Once an ajax request incoming, you can match the key, remove from list, then send the data out.

Hope you can cherry-pick some of these.

Restrict web api to web server

2 Answers2