AJAX Called URL Security

Question

AJAX Called URL Security

How to properly block a file that is called through AJAX? How do you prevent someone from directly accessing the response URL and receiving a response?

To help explain, I will use an example of an automatic suggestion function; In particular, entering a few letters will display a list of all members matching this phrase.

So, somewhere in Javascript, you are defining the URL "http://mysite.com?code=". Then in the search script we have

loginRequest.open("GET", url + characters, true);

and it returns the XML of all members that have “characters” somewhere in their name. What prevents a hacker from entering this URL directly into the browser and repeatedly sending new fragments of names, trying to get my entire membership database?

Not a single web example I came across seems to address this issue.

Am I just (wrong) paranoid?

+3

security ajax

Mivascott May 02, '11 at 18:22

source share

4 answers

, . IP- .

, - . - , ? ?

0

Emil Vikström 02 '11 18:25

If security is important, could you please use the session id and check it inside your ajax handler?

0

Shaunak May 02, '11 at 18:27

source share

with a "reasonable" threshold controller / throttle
and on violations there are any actions, such as captha or false information or wathever
with registered or not registered users, as google and others do with their things

0

Luis siquot May 02, '11 at 18:30

source share

Shamim hafiz · Accepted Answer · 2011-05-02T18:26:06+0000

If the URL is accessible on the client side, you cannot completely prevent the hacker or any bot from repeated requests to it and give no answer. You should at least use some server-side authentication to ensure that only a valid user can access the data.

And, of course, this valid user can also be malicious, so you must carefully develop the system to make sure that you are not sending any critical data.

AJAX Called URL Security

More articles: