I am loading specific files through ajax, but how do I actually prevent people from accessing these files directly?
BTW, all these specific files are located in: /ajax/ directory
Would that only work with .htaccess? And if yes, how?
Asked
Active
Viewed 470 times
1
S L
- 14,262
- 17
- 77
- 116
3 Answers
0
You could try to check the referrer and if there is none then it's a direct access. This is not bullet proof cause the referrer can be faked.
johnlemon
- 20,761
- 42
- 119
- 178
0
I am loading specific files through ajax, but how do I actually prevent people from accessing these files directly?
You can't reliably. The server can't distinguish an Ajax call from any other call.
However, there are some telltale signs that usually point towards a call being an Ajax call. (Remember, this can all be faked by a client at any time.) They are discussed in this question: How to differentiate Ajax requests from normal Http requests?
0
You can't, a least not in a reliable way. If the browser can access this files using an AJAX call, they can be accessed.
You could do some hacky things like settings a special Header in you AJAX calls and check them in the server but this can easily be forged. The same goes for Referer checks.
If you need some kind of access control you must use server-side side code to authenticate the request. Since the AJAX-Request are coming from the browser they will carry the domain cookies (if set) so you could i.e. check if the user is logged in. Or only return data the user should be able to see.
And remember: If the data can be accessed by client-side code the data can always be accessed by an attacker. There is absolutely no way to prevent this.
Martin Thurau
- 7,564
- 7
- 43
- 80