Page 1 of 1
Checking page is call by Ajax
Posted: Tue Oct 09, 2012 3:34 am
by wpsd2006
Hi Guys
I wonder is there any usage or security reason if we check whether the page is call by ajax or not , and if not we drop the request ?
You are welcome to give another example of this checking purpose.
Re: Checking page is call by Ajax
Posted: Tue Oct 09, 2012 5:21 am
by requinix
It's impossible to tell the difference between an AJAX request and someone forging the request themselves.
Re: Checking page is call by Ajax
Posted: Tue Oct 09, 2012 1:29 pm
by tr0gd0rr
Most JavaScript Ajax libs like jQuery and Prototype use the non-standard header HTTP_X_REQUESTED_WITH which you can test like `if (strtolower(@$_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')` but as requinix says, anybody can send any request headers they want so HTTP_X_REQUESTED_WITH cannot be relied upon for security.
If you need to add security to a REST/SOAP API (which may not apply to your case), you probably need to assign API keys and passwords.