You will find some scripts which i only use via ajax and that i don't want the consumer to operate these scripts from the browser. I personally use jQuery to make all ajax calls and that i keep all my ajax files inside a folder named ajax.

So, I had been wishing to produce an htaccess file which inspections for ajax request (HTTP_X_Asked for_WITH) and deny other demands for the reason that folder. (I understand that http header could be photoshopped but I am unable to think about a much better solution). I attempted this:

ReWriteCond %Asked for_WITH ^$
ReWriteCond % ^/ajax/.php$
ReWriteRule ^.*$ - [F]

But, it's not working. Things I am doing wrong? Can there be every other method to achieve similar results. (I don't want to check on for that header in each and every script).

Unhealthy: Apache :-(

X-Requested-With in not really a standard HTTP Header.

You cannot see clearly in apache whatsoever (neither by ReWriteCond %{HTTP_X_REQUESTED_WITH} nor by %{HTTP:X-Requested-With}), so its impossible to check on it inshtaccess or same place. :-(

The Ugly: Script :-(

Its just available in the script (eg. php), however, you stated you won't want to incorporate a php file in most of the scripts due to quantity of files.

The Great: auto_prepend_file :-)

  • But ... there is a simple trick to resolve it :-)

auto_prepend_file identifies the title of the file that's instantly parsed prior to the primary file. Technology-not only to incorporate a "checker" script instantly.

So produce a .htaccess in ajax folder

php_value auto_prepend_file check.php

and make check.php as you would like:

<?
if( !@$_SERVER["HTTP_X_REQUESTED_WITH"] ){
        header('HTTP/1.1 403 Forbidden');
        exit;
}
?>

You are able to personalize it as you would like.

You will find merely a couple of predefined HTTP_* variables mapping to HTTP headers which you can use inside a RewriteCond. For just about any other HTTP headers, you should utilize a % variable.

Just change

ReWriteCond %{HTTP_X_REQUESTED_WITH} ^$

To:

ReWriteCond %{HTTP:X-Requested-With} ^$

I am presuming you've all of your AJAX scripts inside a directory ajax, since you make reference to ^/ajax/.php$ inside your non-working example.

Within this folder /ajax/ place a .htaccess file with this particular content:

SetEnvIfNoCase X-Requested-With XMLHttpRequest ajax
Order Deny,Allow
Deny from all
Allow from env=ajax

What this may is deny any request with no XMLHttpRequest header.

Just look for if($_SERVER['HTTP_X_REQUESTED_WITH']=='XMLHttpRequest'){ at the outset of the document, when not set, then don't return anything.

edit Here's why: http://github.com/jquery/jquery/blob/master/src/ajax.js#L370

edit 2 My bad, just go through your publish again. You are able to alternatively create a folder inaccessible to the net after which simply have a typical ajax.php file which has include('./private/scripts.php') as the server will still have the ability to can get on, but nobody will have the ability to view using their browser.

An alternative choice to using .htaccess is by using the $_SERVER['HTTP_REFERER'] variable to check the script has been utilized out of your page, instead of from another site, etc.