Geek Answers Handbook

How to prevent cross-domain ajax requests?

How to determine if my php script is called from another domain and another domain illegally uses my script? Is there any way to prevent this?

UPDATE

I found this question about SO, but its still unsafe, it can be faked.

+4
source share
5 answers

There is no absolutely reliable way to prevent this, as any header information can be tampered with. Another possible solution is session-based tokens, but in this case your javascript is publicly available, so anyone who wants to spend a little time can determine how your token system works and find out how to do it.

The combination of methods will give you the broadest protection. You can search for a header, use a .htaccess file, and use tokens. This approach, based on all of the above conditions, makes it much harder to use for a web server - most of the abuse comes from people trying to find an easy hole to use. It is important to remember that you cannot calm down because you have deployed the β€œbest” defense or because you have so many levels of protection that it seems impossible to crack. If someone really wanted him to be bad enough and have time, they will find a way. These types of preventative measures are actually only deterrents to avoid the lazy, curious and lazy spiteful. Targeted attacks are a whole separate security class and, as a rule, are more focused on server-level security issues.

Htaccess example. This is not something you would put in your root, but rather in a subfolder where you have scripts that should never be called from the address bar:

RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?_YOUR_DOMAIN_NAME_HERE.com [NC] RewriteRule \.(php)$ - [NC,F,L]

Check out this article for information on using the token system: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

+3
source

You can manually reject each request whose Origin header does not match your domain name. However, not all browsers send an Origin header. In these cases, you can return to the Referer [sic] header, parse it and find out the domain name and compare it as above.

Some JavaScript frameworks also set the X-Requested-With header for AJAX requests.

This should reject a significant percentage of users (I would rate> 95%). Please note that due to policies of the same origin, the only thing is that the guy sending AJAX requests to your domain receives synchronization information anyway.

+1
source

It looks like the user is user3491125, you can set $ _SESSION on the page where the call is made and check it on the Ajax page if, for example, $ _SESSION ['user'] exists.

0
source

This is not a problem that can be solved. If you create a website, you make it, by definition, open. If you want your data to be private, you need to perform some kind of login.

It is not possible to create a system open to users, but not scripts without captchas login / annoyance.

-2
source

I know this is an old post, but currently THERE IS is a "reliable" method to avoid this, and it's as simple as hell ... First on the page where the ajax call will be made:

 <?php $token = sha1(rand(1000,9999)); $_SESSION['token'] = $token; ?>

Then in ajax script

 var formData = new FormData(); formData.append("token","<?php echo $token;?>"); $.ajax({ url: 'yourfile.php', type: 'POST', xhr: function() { var myXhr = $.ajaxSettings.xhr(); return myXhr; }, success:function(data) { alert(data); }, data: formData, cache: false, contentType: false, processData: false });

And finally, on the php page that will be called:

 <?php $token = $_POST['token']; if($token === $_SESSION['token'] && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') { //Perform your stuff here... } ?>
-3
source

More articles:


All Articles