I have a facebook application, and some functionalities require some sripts running via ajax. Is there a way to ensure that the script is only called from inside my app? I use jquery for the ajax calls like this:
$.post('script.php', {var1: val1, var2: val2}, function(data){...});
.
The code inside script.php runs some sql queries and just check that all requested variables are passed through the ajax call.
What else should i check so that the script can only execute if called from my app and not by explicit calls?
Thanks in advance.
There are very few ways that you can make sure with 100% certainty that the Ajax request is being called from your app. If that was a mission-critical (high-security) requirement, then I would secure it the same way that I would secure any particular web resource:
If you don’t want to go through the hassle of establishing a session, then there are less certain, but still quite helpful means of preventing access (causal access, that is):
Check for the presence of two request headers: Referrer and X-Requested-With. Referrer should contain the URL of your base page, and X-Requested-With should contain XMLHttpRequest. These can be faked, but it would require a much more determined “attacker” than someone simply browsing to the URL directly.