4
I have a javascript file that makes ajax requests to my API only I do not want anyone to discover her link there is some way to block access to this file ?
If there is no way to release so only the site can access ?
2 answers
6
The moment the AJAX request is performed, it will always be possible to trace. Because, the origin of the request is made in the client. So, what can be done is to do a validation on the server.
Example:
Let’s assume you’re making the request for the site: http://www.testandoapi.com.br/index.php
In the index.php file, you can have a PHP statement that checks if the origin of the request is www.testandoapi.com.br.
<?php
if( $_SERVER['HTTP_ORIGIN'] === 'www.testandoapi.com.br' ){
//seu codigo aqui
}
?>
This will cause only requests coming from the www.testandoapi.com.br domain to be executed.
Note: The above solution is not immune to failures, there are other strands that should be taken into account.
Complementing the above solution, you can work with Token also.
But for this to happen, it will be necessary to define certain criteria:
- Whether or not to generate the
Token, for all who access the site. - The periodicity of
Token.
You can have other items to define, it is worth taking into account the context that your API will be used.
0
You must provide security on the server side, authorizing only those who can access the address action. The "link" can be discovered anyway when the user request is made, simply monitoring the requests in the browser itself.
Browser other questions tagged php javascript jquery html htaccess
You are not signed in. Login or sign up in order to post.
I already did it well $site_ = $_SERVER["SERVER_NAME"];
– Weslei Ramos
Despite the solution, I do not find anything reliable doing so. Mainly because usually who will want to make requisition will be an experienced person and who easily manages to circumvent it.
– Maicon Carraro
SERVER_NAME retrieves the server name and not the request data. It is worth taking a look at HTTP_HOST and HTTP_ORIGIN. See if this helps: http://stackoverflow.com/questions/2297403/http-host-vs-server-name
– Gustavo Carvalho
It’s something simple I don’t think anyone will try to cheat :)
– Weslei Ramos
@Maiconcarraro, I agree with you. To create a more elegant solution, we would need to understand why this security and the context of the API and its use.
– Gustavo Carvalho
I would create a
Tokensingle and would always pass on request, it is safer than simply checking a text field in the request– Maicon Carraro
Good... but for Token to work it would have to have a well-established rule of creating and reading it. Why, give a Token and leave open to everyone, it would be in the same as to validate a text field in the request...
– Gustavo Carvalho
@Maiconcarraro, I added your suggestion in the reply... ;)
– Gustavo Carvalho
@Gustavocarvalho Grato :)
– Maicon Carraro
HTTP_ORIGIN is a new feature offered by Google Chrome.. Other browsers do not support it. Moreover, not recognized by servers.. it is necessary to install a specific module for support. The biggest problem is, the effect is the same as HTTP_REFERER. It can be manipulated easily. And another even bigger problem, in a legitimate request, the value of HTTP_ORIGIN or HTTP_REFERER can come empty. Then you would be blocking a legitimate request. Javascript needs to be read anyway. Everything you try to do to block access is in vain. At most, you can make it difficult with obfuscation.
– Daniel Omine