Blocking non-AJAX requests to PHP

Question

Possible Duplicate:
Prevent Direct Access To File Called By ajax Function

I'm creating a site that relies on AJAX calls to to a PHP page. Is there a way to prevent access to the raw data? (i.e. accessing the php file via their own post requests).

I would guess the best way to do this (if possible) would be to prevent PHP from sending data to anything that doesn't come from AJAX (since that has to come from the same domain). Any suggestions?

Be aware that this method is not 100% save. HTTP headers like the HTTP_X_REQUESTED_WITH can be spoofed quite easily. Also, this question is asked before: http://stackoverflow.com/questions/1756591/php-prevent-direct-access-to-file-called-by-ajax-function — Luwe, Aug 19 '11 at 21:40
@Luwe: What does that question have in common with this one? — Lightness Races in Orbit, Aug 19 '11 at 21:42
@Evan: However, that's not doing much of "preventing". It's trivially fakeable even by a not very determined intruder. So is everything else I can imagine using -- if you're serving Javascript that tells a browser how to request the data, everyone who sees that Javascript will be able to do the same thing themselves. — hmakholm left over Monica, Aug 19 '11 at 21:42
Your PHP backend [should be an API](http://devblog.supportbee.com/2011/08/10/the-pros-and-cons-of-developing-a-complete-javascript-ui/) to the web-based presentation layer. If it's a problem that users can access the API manually, then the API is broken. Otherwise, this is a non-issue and you can move on to work on something constructive. — Lightness Races in Orbit, Aug 19 '11 at 21:43

score 1 · Accepted Answer · answered Aug 19 '11 at 21:40

1

if (strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
     //allow access
}
else
   die("Direct access restricted");

It's cheatable though

answered Aug 19 '11 at 21:40

genesis

50,477
20
96
125

Is there an option that's not "cheatable"? Or perhaps I need to find a different solution if I need to protect the data? – frostmatthew Aug 19 '11 at 22:02

score 0 · Answer 2 · answered Aug 19 '11 at 21:40

0

You could just not return anything when the request doesn't have the proper GET or POST variables.

With that said, its honestly not anything to worry about as anybody who actually browses the page that you send ajax requests to is probably trying to do something malicious and them receiving what is sent via ajax doesn't gain them anything. No normal user every views source...

answered Aug 19 '11 at 21:40

secretformula

6,414
3
33
56

I'm not worried about the casual/normal user. The data is inherently valuable so I am trying to transmit it without giving it away for free. – frostmatthew Aug 19 '11 at 22:01

score 0 · Answer 3 · answered Aug 19 '11 at 21:40

Ajax libraries add a X-Requested-With: XmlHttpRequest header in their requests, so you can test for its presence:

if (!isset($_SERVER['HTTP_X_REQUESTED_WITH']) || $_SERVER['HTTP_X_REQUESTED_WITH'] != 'XmlHttpRequest')) {
    // not an ajax request
}

However a malicious user can easily send this header too, so don't use this to protect sensitive data.

score 0 · Answer 4 · answered Aug 19 '11 at 21:43

As @Evan linked in his comment, you can detect XmlHttpRequest requests by looking for HTTP_X_REQUESTED_WITH in $_SERVER. But this value comes from a header send by the client. As with any information from the user though, this can be spoofed.

There's really no way to block non-XmlHttpRequest in a practical way. If it's really important that you block the API, you can issue a unique key to the Javascript (and store it in the session) upon a request to the main page. It is passed in the XmlHttpRequest, and when that page sees it and validates it, it gives access. But even that unique key can be scraped from the page.

I had thought of something similar, but as you point out, that doesn't add much security. What I'm looking for may not be possible. — frostmatthew, Aug 19 '11 at 22:06

Blocking non-AJAX requests to PHP

4 Answers4

Linked