Answer the question
In order to leave comments, you need to log in
A
A
Alexander2015-06-06 16:56:50
Alexander, 2015-06-06 16:56:50
Protecting a script from ajax requests from other servers, is it a reasonable solution?
Friends, does it make sense to protect a php script that is executed via ajax with such a condition?
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' && preg_match("/site.ru/", $_SERVER['HTTP_REFERER'])) {
код скрипта
}The main question about the last condition: preg_match("/site.ru/", $_SERVER['HTTP_REFERER'])..
Isn't it resource-intensive? no alternatives?
Thanks in advance..
3 answer(s)
@Deodatuss
@shaks
@Denormalization
D
Deodatuss, 2015-06-06 @Deodatuss
wiki says that for each user you can generate your own secret key that is sent with the request
S
Shaks, 2015-06-06 @shaks
everything you wrote is complete nonsense. All headers are easily set by any script, including REFERRER
Regarding
the question
- no, not resource-intensive
- there is an alternative to strpos substr and so on . cache to store user tokens is quite a good idea.
PS Why do you need such "protection"? just curious, I tried to come up with a situation when it is necessary and necessary, but I could not come up with it)
D
D', 2015-06-06 @Denormalization
HTTP_REFERER is an untrusted header. It can be changed to whatever you want.
If the task is to protect against any requests (not only from the browser), then checking the referer will not help.
If the task is to protect against requests from browsers, it's easier to set up CORS + use CSRF tokens for POST/PUT/DELETE
Similar questions
S
K
Y
S
A
ASMcoder-Source2022-02-09 22:58:10
How to select all extended latin characters in one fell swoop?
4Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question