0

I would like to determine whether or not a request to my REST API has been made from the jQuery $.ajax() method.

Before answering this question with one of the obvious answers of adding a boolean to the data sent to the server, or by adding a header, I do not want to do this...

Obviously this can be achieved like so:

$.ajax({
    data: {
         sentViaAjax: 'true'
    }
});

However, for various reasons I would like the boolean/additional header to remain hidden from the code.

Therefore, what I would like to know is does jQuery send any other data in any particular form to the server when it makes a request?

I have tried printing out the $_REQUEST array but this does not contain anything other than my data sent. Are there any unique headers to look out for? If so, are they reliable, as in, will they always be there?

Ben Carey
  • 16,540
  • 19
  • 87
  • 169

1 Answers1

6

jQuery sends the following header on non-cross-domain ajax requests:

X-Requested-With: XMLHttpRequest

So you could look for that header on the request.

T.J. Crowder
  • 1,031,962
  • 187
  • 1,923
  • 1,875
  • 1
    @Alnitak: You should, I do. Be sure you're looking at the *request* headers, not the response headers. – T.J. Crowder May 14 '13 at 11:06
  • it's not in the request headers listed in the network monitor part of Chrome's devtools. I didn't yet look see what the server itself receives. – Alnitak May 14 '13 at 11:07
  • You da man @T.J.Crowder. Would rely on this in an application? – Ben Carey May 14 '13 at 11:07
  • @Ben Carey: you should not rely on any client info. In this case the presence of such header means "It's likely a request has been sent with AJAX" – zerkms May 14 '13 at 11:08
  • 4
    @BenCarey: I would try to avoid caring how the request was generated. And note that if someone wanted, they could modify jQuery not to send the header, or use `XMLHttpRequest` directly, or use a tool that isn't even part of a browser to send a completely custom request... – T.J. Crowder May 14 '13 at 11:10
  • @T.J.Crowder Of course they can modify the header, however, I am only bothered about ajax requests sent from my application. I basically want to print the api call result in json is request has come via AJAX, otherwise redirect... So I am pretty sure I can rely on it given that it is only my code that I am bothered about? – Ben Carey May 14 '13 at 11:12
  • @Ben Carey: it can be stripped by some software between your app and a client: a proxy server, an antivirus, a firewall, ... (even though it's unlikely, but still possible) – zerkms May 14 '13 at 11:13
  • @BenCarey: Sure, I don't see why not. But if your preference for not sending a marker is just because you have a lot of different `ajax` calls, you could use `ajaxSetup` to automatically add a marker. But yeah, I would think for the use you've outlined `X-Requested-With` should be fine. – T.J. Crowder May 14 '13 at 11:13
  • @zerkms Yes but that is the clients problem for having anal security... If they are going to strip headers from a request then they cannot expect websites to function correctly... – Ben Carey May 14 '13 at 11:14