How to allow only Ajax to respond?

R

Robot2015-11-17 13:39:39

PHP

Robot, 2015-11-17 13:39:39

There is a site.com/response.php page that receives get requests from ajax
Question: how to prevent it from responding to any other get requests except my ajax because you can put site.com/response.php?id=xx and make a request directly.

I looked at $_SERVER, but it's not clear which of the available parameters is the best way to filter requests...

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Adamos, 2015-11-17
@iam_not_a_robot

Option 1. Forming a unique key on the page from which the ajax request comes, and checking it in the ajax script.
Option 2: Checking if this particular user visited that page just before the request was sent. It is possible that you just need to make sure that the user is authorized to weed out robots.
And what came into the script without the participation of the server can always be faked.

E

Elios, 2015-11-17
@strelov1

function IsAjax(){
      return isset($_SERVER['HTTP_X_REQUESTED_WITH']) &&
          strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';
  }

But as a very weak protection method, such headers are easily forged, you still need to generate a CSRF token at least