Answer the question
In order to leave comments, you need to log in
How to close XMLHttpRequest from public access?
I have requests on the page like XMLHttpRequest from javascript to my own server. They return data in json format, which is then used on the page.
Is there any way to make sure that no one else can repeat these requests and get my data in json format?
Can nginx settings make it so that these XMLHttpRequest requests cannot be made directly? So that it was impossible for the XMLHttpRequest address to receive data.
What are the options?
Answer the question
In order to leave comments, you need to log in
Use a one-time session key to force the scenario:
"request the page first, and only then - json data."
When generating a page, a key is created on the server, which is written to the session (on the server) and to the page code.
When requesting data from the page, this key is also sent with the request, where it is compared with the one recorded in the session. Only if there is a match, data is returned and the key is removed from the session.
In order not to transmit data in the clear, you can additionally pack-encrypt them. See JSON Web Tokens . But this is purely decorative, because. everything that ends up in clear text in the client's browser is leaked.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question