Checking page is call by Ajax

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
wpsd2006
Forum Commoner
Posts: 66
Joined: Wed Jan 07, 2009 12:43 am

Checking page is call by Ajax

Post by wpsd2006 »

Hi Guys

I wonder is there any usage or security reason if we check whether the page is call by ajax or not , and if not we drop the request ?

You are welcome to give another example of this checking purpose.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Checking page is call by Ajax

Post by requinix »

It's impossible to tell the difference between an AJAX request and someone forging the request themselves.
User avatar
tr0gd0rr
Forum Contributor
Posts: 305
Joined: Thu May 11, 2006 8:58 pm
Location: Utah, USA

Re: Checking page is call by Ajax

Post by tr0gd0rr »

Most JavaScript Ajax libs like jQuery and Prototype use the non-standard header HTTP_X_REQUESTED_WITH which you can test like `if (strtolower(@$_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')` but as requinix says, anybody can send any request headers they want so HTTP_X_REQUESTED_WITH cannot be relied upon for security.

If you need to add security to a REST/SOAP API (which may not apply to your case), you probably need to assign API keys and passwords.
Post Reply