Protecting a script from ajax requests from other servers, is it a reasonable solution?

A

Alexander2015-06-06 16:56:50

PHP

Alexander, 2015-06-06 16:56:50

Friends, does it make sense to protect a php script that is executed via ajax with such a condition?

if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' && preg_match("/site.ru/", $_SERVER['HTTP_REFERER'])) { 
код скрипта  
}

The main question about the last condition: preg_match("/site.ru/", $_SERVER['HTTP_REFERER'])..
Isn't it resource-intensive? no alternatives?
Thanks in advance..

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

D

Deodatuss, 2015-06-06
@Deodatuss

wiki says that for each user you can generate your own secret key that is sent with the request

S

Shaks, 2015-06-06
@shaks

everything you wrote is complete nonsense. All headers are easily set by any script, including REFERRER Regarding
the question
- no, not resource-intensive
- there is an alternative to strpos substr and so on . cache to store user tokens is quite a good idea. PS Why do you need such "protection"? just curious, I tried to come up with a situation when it is necessary and necessary, but I could not come up with it)

D

D', 2015-06-06
@Denormalization

HTTP_REFERER is an untrusted header. It can be changed to whatever you want.
If the task is to protect against any requests (not only from the browser), then checking the referer will not help.
If the task is to protect against requests from browsers, it's easier to set up CORS + use CSRF tokens for POST/PUT/DELETE