How do I only allow the ajax request if the javascript calling is on the same server as the PHP file?_问答_开发者

How do I only allow the ajax request if the javascript calling is on the same server as the PHP file?

开发者 https://www.devze.com 2023-01-12 08:15 出处：网络

How do I make it so an ajax req开发者_StackOverflow社区uest can only be executed if the JS and PHP files are on the same server?The answer is that you can\'t.

相关专题：

How do I make it so an ajax req开发者_StackOverflow社区uest can only be executed if the JS and PHP files are on the same server?

The answer is that you can't.

The best you can do is put up a roadblock that is easy to get around. So if you are doing this only to discourage other people directly accessing your AJAX APIs without going through your Javascript, then it may be sufficient to do something like check the HTTP_X_REQUESTED_WITH server variable. But this is easy to work around.

If you are doing this for security, the simple answer is that it's not possible.

When designing your internal AJAX API you have to simply remember that anything that your Javascript can request, an external client (such as a robot) could also request. So, don't divulge any information you wouldn't want anyone else to be able to see, or allow the request to perform any actions you wouldn't want anyone else to be able to perform.

If need to provide access only to authenticated users, then you need to apply the same authentication to your AJAX API as you would for the rest of your site, as it can just as easily be requested by a 3rd party as the rest of your site.