how to lock AJAX calls to ASHX/WCF service to domain to stop data harvest

Is it possible to restrict the access of an ASHX or WCF ser开发者_如何学JAVAvice to only AJAX calls from your own domain?

In order to improve site performance, we want to use the full jQuery & MS AJAX 4.0 approach however exposing our retail data via an ASHX or WCF service makes it really easier for competitors to harvest our data.

Yes it is a public website and they could eventually harvest and we will put throttling in place but how can we lock calls to these services to our domain?

Could a windows app and contect directly to the service and still harvest?

Looks like another performance/security tradeoff!! sigh

Any suggestions would be helpful.

Thanks in advance.

---

What you're asking for can't be done. Any data that's available on your public website, whether it's intended to be called from a browser or via AJAX, can be scraped. You can try obfuscating your Javascript and data, or using a CAPTCHA, but these can be worked around. Throttling also is only a minor deterrent, as an attacker can trickle their requests, or use multiple proxies.

Basically, once you put it on the Internet, it's public.

---

You may use an encrypted parameter. Server's current date time will be a good parameter.

MyService.ashx?parameter=<encrypted date time>

In your ashx check the parameter to see if it is present and date time is current, if not throttle and return an empty page. Allow a few seconds margin though.

This will prevent your service called directly from a harvester but it won't prevent your site being harvested by a crawler.