1

Please could I request for your advise on the following problem:

I'd like to restrict access to a web folder through the Web URL (I understand that this could be done using .htaccess). However, my concern is that I'd also like the code files in this folder to be accessible to AJAX calls.

Reference question: deny direct access to a folder and file by htaccess

Is it therefore correct to assume that any access allow/deny rule in .htaccess is automatically applicable to AJAX calls as well (since they're based on URLs)? And if so, what could be the best way to let the server access mechanism know that it's some "code" that is trying to communicate with it?

Please do let me know if I could provide any clarifications or additional details. Thanks a lot!

Community
  • 1
  • 1
Dhruv Saxena
  • 1,336
  • 2
  • 12
  • 29

2 Answers2

2

You can do so based on HTTP_REFERER, put this code in your DOCUMENT_ROOT/.htaccess file::

RewriteEngine On

## disable direct access
RewriteCond %{HTTP_REFERER} !^$ 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.com/ [NC] 
RewriteRule ^somefolder - [F,NC]

Though I must add that HTTP_REFERER based check is not very strong and it can be easily spoofed.

Lorenz Meyer
  • 19,166
  • 22
  • 75
  • 121
anubhava
  • 761,203
  • 64
  • 569
  • 643
1

You should implement an authentication mecanism based on sessions.

  1. In your application, the user logs in.
  2. In your ajax files, you test if the user is authenticated, and if he's not, you return a 403 Forbidden header.

You could also send a custom header with ajax, and test in your ajax files or with .htaccess, if it is present. But this is less secure than authentication, because someone could forge the request.

Lorenz Meyer
  • 19,166
  • 22
  • 75
  • 121