I have an AJAX intensive web application where the requests are unsecured, meaning there is no client identification. I don’t check whether its my application that’s making the request on the server.
Recently i found out that some one has used my ajax request urls to create an iPhone app that mimics my web app. I added in a filter to discard requests from iPhone by looking in the user agent string. This is definitely a temporary solution.
Instead of blocking certain user agents, how can i make sure that the request originated from my application? If i add more services like an FB app, Google Gadget etc i want these to make requests as well.
The question is how can i make sure that the request originates from my app(s) and discard everything else.
You can use a special token that you send down with your response, that you would look for in the AJAX call. That would ensure that the caller had to first load your web page. However, that still can’t guarantee that the user isn’t coming from the iPhone app. The app could simply process the same information and act as a proxy, and there’s no way to tell that based on HTTP Requests.
Does your site have any terms of use defined? If it does, the first thing you should do is contact Apple and tell them that the app is in violation of your terms of use, and you want the app pulled. If it doesn’t, you should write up some terms of use, and contact the app’s author notifying them of the change, and requesting they take the app down, or come to some other terms. If all that fails, your best bet is to just make it more difficult to use the AJAX calls directly. Simple things like obfuscating and minimizing the JS (and renaming your serverside functions to not be so well named) will raise the bar on scraping your data.