I am using AJAX to generate actions on my website. For example, a “search results page” calls Ajax which initiates “/getResults.php”. This PHP file returns a JSON with 20 entries that contains the results. The HTML Page calls the callback function and re-builds the DOM with the results from the JSON.
It thus seems inevitable that using Ajax in this form will result public API (just send “/getResults.php” a request with a query and you will get easy to use JSON).
Is there anyway to block these Ajax calls? This is more acute when setting database entries, and not only retrieving.
Thanks,
Joel
Since the “API” will have to be accessible via normal HTTP requests, it’s by definition “public”. But, it is playing by the same rules as all other HTTP requests as well. Somebody could submit POST requests to your form submission pages without actually using your site, which is the exact same problem. You can secure your AJAX calls the same way you’d secure your POST submissions; i.e. not at all, or by requiring cookies, or by requiring some special token, or by applying IP filtering or throttling, etc. pp.