So, I have a page on my site (index.php) which wants to make simple AJAX lookups. The AJAX requests are made in JSON to /ajax/search.php.
You can use $_SERVER[‘HTTP_REFERER’].
Why do you need to make sure the request comes directly from “index.php”? That seems awfully silly making a public interface like that. In the end all the request on the web are the same, no connection to the previous request.
Sounds like you just want to over complicate this.
I’ve had a similar problem. Only I would like to it by domain so that only my framework can access the API. It doesn’t seem like this is possible. So the alternative is to decide which methods/operation requests need to be permission checked vs. those that do not. For example, I don’t really care if Joe Shmoo fetches a list of blogs but I do care if they attempt to delete a blog directly through my public API. You can even add a extra layer behind the request that logs any outside attempts to access API method the person doesn’t have permission to or excessive requests.
However, the problem area lies with the DAO request. In that case someone can directly call a method on DAO w/ supplied args. So the only reasonable way I’ve found to restrict what methods can/can’t be requested is via an added permission layer. That way at least destructive methods are not able to be accessed directly through the public API.
In the end though it really is a catch-22 situation. Ideally I would like to able to use the same exact data access layer w/ regulation on the client side but for security reasons its just not practical.
So the open access to all data that doesn’t require someone to be logged-in is just something you need to get over. For example, By running the below request someone could get all my blogs information as json or xml via curl or a AJAX.
Kinda sucks but at least there is regulation on something like this: