Deny Ajax File Access Using Htaccess

Deny ajax file access using htaccess

The Bad: Apache :-(

X-Requested-With in not a standard HTTP Header.

You can't read it in apache at all (neither by
ReWriteCond %{HTTP_X_REQUESTED_WITH}
nor by
%{HTTP:X-Requested-With}), so its impossible to check it in .htaccess or same place. :-(

The Ugly: Script :-(

Its just accessible in the script (eg. php), but you said you don't want to include a php file in all of your scripts because of number of files.

The Good: auto_prepend_file :-)

  • But ... there's a simple trick to solve it :-)

auto_prepend_file specifies the name of a file that is automatically parsed before the main file. You can use it to include a "checker" script automatically.

So create a .htaccess in ajax folder

php_value auto_prepend_file check.php

and create check.php as you want:

<?
if( !@$_SERVER["HTTP_X_REQUESTED_WITH"] ){
        header('HTTP/1.1 403 Forbidden');
        exit;
}
?>

You can customize it as you want.

Modify .htaccess to deny access into folder, but allow access only from my site using ajax to specific files

Well, after a lot of searching, reading and testing i conclude that the best way to secure a website that works using Ajax is:

1 - Have only one (if possible) file like router.php that will "route" depending on the POST/GET navigation variables, using includes to files that are in sub-folders.

2 - Except of SESSION-based authentication you could also implement Basic HTTP authentication and/or HTTPS (SSL) to secure user credentials when login. If you are not using HTTPs, you should use field or form encryption because in 'wire' all are in plaintext. I have found useful this http://www.itsyndicate.ca/jquery/

3 - In every POST use Token-based Authentication with a token that is created from user credentials, send over with the request and then re-calculate and compare.

4 - I have tried lot of combinations for using only one .htaccess in document ROOT but always something was missing, or miss-configured or not working as i expected. So, i found more simple to use one .htaccess in every sub-folder instead of one in the root. In sub-folders depending on what they contain's .htaccess should look like this:

### No Direct Access to All files ###
<IfModule mod_authz_host.c>
    Order Deny,Allow
    Deny from all
#   Allow from 127.0.0.1
</IfModule>

### One of the alternative ways with mod_rewrite ###
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+)/.*\ HTTP [NC]
    RewriteRule .* - [F,L]
</IfModule>

### permit ONLY filetypes in a pattern ###
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} ^(.+)\.(css|js|gif|png|jpe?g|woff)$
    RewriteRule .? - [S=1]
    RewriteRule ^(.+)$ - [F,L,NC]
</IfModule>

I prefer THE_REQUEST because this does not include any additional headers sent by the browser. This value has not been unescaped (decoded), unlike most other variables, and it has no point to spoof. I use skip [S=1] because i prefer to tell "If that then this rule not valid", so, in any other case the rule that "Denies" it is valid.

5 - For extra security you can use code inside php files, implementing one of the methods described in this article:
Prevent direct access to a php include file

6 - Also, if you are Forbidding Image Hotlinking (and NOT only) described here , beware that referer can be spoofed!!

Deny access to directory with .htaccess

You can only allow POST-requests. Accessing the page from the browser results in an error code, but posting from ajax works. See here.

Note: this qualifies as security through obscurity. If someone looks at your javascript, they'll find out how to get the page results.

Prevent access to php files (folder) with .htaccess EXCEPT for XMLHttpRequest

In the htaccess file in your soascripts folder:

RewriteEngine On
RewriteCond %{HTTP:X-Requested-With} !=XMLHttpRequest
RewriteCond %{HTTP:X-REQUESTED-WITH} !^(XMLHttpRequest)$
RewriteRule \.php$ - [L,F]

So without the 

X-Requested-With: XMLHttpRequest

request header, the response will be a 403 forbidden.

EDIT:

If you want to add the rules to the document root, you just need to include the path:

RewriteCond %{HTTP:X-Requested-With} !=XMLHttpRequest
RewriteCond %{HTTP:X-REQUESTED-WITH} !^(XMLHttpRequest)$
RewriteRule ^page/panel/soascripts/[^/.]+\.php$ - [L,F]

Make sure to add it before any type of routing rules (like stuff being sent to index.php).


Related Topics

File Not Uploading PHP

JSON Decode in PHP

Function Eregi() Is Deprecated

Display Output in Parts in PHP

PHP 5: Const VS Static

Whats the Easiest Way to Determine If a User Is Online? (Php/Mysql)

How to Return a Proper Success/Error Message for Jquery .Ajax() Using PHP

Why PHP Iteration by Reference Returns a Duplicate Last Record

PHP Regex Word Boundary Matching in Utf-8

How to Dynamically Build Queries with Pdo

PHP Password_Verify() Hash and Pass Won't Match

How to Escape Single-Quote (Apostrophe) in String Using PHP

Rest API Authorization & Authentication (Web + Mobile)

Use Openssl_Encrypt to Replace Mcrypt for 3Des-Ecb Encryption

Extract a Substring Between Two Characters in a String PHP

Creating an Array from a String Separated by Spaces

How to Use Prepare() with Dynamic Column Names

How to Use Composer Packages in Codeigniter


Leave a reply



Submit