Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is there any way to know whether the page was called using AJAX or not?
We were using an additional variable sent with POST method, and I know about http_x_requested_with. But I’ve read somewhere on a security-related blog that both of them can be easily (?) hijacked.
So is there a secure method to know: was it an AJAX request or not?
Thanks!
x-requested-withcan easily be changed, client side.…but the point of the header isn’t to provide secure login information or session security, it’s to figure out how to handle the incoming request.
If I send a
GETrequest fordata.php, without setting the header, then maybe I need to serve an XML file, or maybe I need to serve a whole HTML page with full-site functionality, which has a list or table of that data in user-readable format.Meanwhile if the header is set, maybe I just send a JSON response so the client can refresh itself or load a new widget on the page.
None of this is meant to be secured, or to provide security.
That would be like tying videogame security to resolution/graphics settings.
If the client coerced a particular setting, and they couldn’t handle the response, tough.
If the client coerced a setting, and you’re giving them all kinds of sensitive data, just because they did, then that one is on you.