Preventing calls to php scripts from a localhost or from another domain

Question

I have a website with some php scripts, some of them are called in ajax.
I'd like to prevent my site from some malicious users who would try calling and using those scripts from another site, or from a dummy localhost site.

I thought about filtering the domain name, but with some tools like EasyPHP and virtual host managers, you can run a local website tricking the "domain" name.

I also thought about filtering the IP adress of the caller, but I guess that if you can trick the "domain" name, you can also trick the localhost IP.

So, how may I do this to have this security work fine ?

Answer 1

What are you referring to is called Cross Site Request Forgery.

Calling one of your scripts from another website will be forbidden by same-origin policy. Taking this into consideration and the fact that an AJAX request can contain only a few headers without the consent of the server via Cross-Origin Resource Sharing, you can send a custom HTTP header and checking that header on the server side, from PHP. If the header is missing, most likely the request is not coming from your own application.

You could also require each client to send a unique token for each request in order to fetch the data. Most common used token method is called Synchronizer token pattern.

Sorry for the long list of links included in this answer, but I consider the subject to be a delicate one and like any security problem, I think it is crucial to read as much as you can, from many sources, in order to understand the problem from different perspectives, available solutions and pick the right one for your use case.

Resources to read:

• How to stop other website to send cross domain ajax requests?
• What's the point of X-Requested-With header?
• Using CORS