Menu
Some smartass people are using my api-centric web app to clone my service and make it appear like their own. Is there a way to make sure all ajax requests are for/from my website?
Sure I could use the referrer header but they could easily fake it.
369
There is absolutely no way to know with certainty if a request came from a browser or something else making an HTTP request. The HTTP protocol allows for the client to set the User Agent arbitrarily.
The server takes the request and based on the info in the request line, headers, and body, decides how to process the request. For the request, GET /hello-world/ HTTP/1.1 , the server gets the content at this path, constructs the response and sends it back to the client.
The number of HTTP requests made by a browser is subjective to various parameters. It depends on both the browser and server configuration. There is only one way to find out if you can extract more performance out of the server and the connection - use a web traffic monitor like Fiddler.
Set a cookie on the client when it hits your site, before it sends any Ajax requests.
Then validate the cookie when serving the Ajax.
Or alternatively you could make your Ajax requests POST only. This way they are subject to the same origin policy.
It will break the whole restful ideology though.
http://en.wikipedia.org/wiki/Same_origin_policy
81
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
