How a server can check ajax requests not from a site, X-Requested-With

Question

How a server can check ajax requests not from a site, X-Requested-With

I read that checking the X-Requested-With header from an ajax request is a good way to make sure the request is not coming from outside. How can I check this header on the server side? and what is the correct way to respond to this header is missing or incorrect (redirect, throw exception, else)?

+5

ajax php

zmol Feb 08 '11 at 4:01

source share

2 answers

, , - , - . , AJAX, , , , .

: http://en.wikipedia.org/wiki/Cross-site_request_forgery

+6

AtomicAndy 23 . '11 11:23

alex · Accepted Answer · 2011-02-08T04:02:43+0000

You can check it like this:

$isAjax = isset($_SERVER['HTTP_X_REQUESTED_WITH']) AND 
          strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) === 'xmlhttprequest';

If you are only waiting for access via XHR, then simply exitif this header is not there.

Note . This title is trivial to replace. Don't rely on it for anything, but it looks like it came from na XHR.

How a server can check ajax requests not from a site, X-Requested-With

More articles: