防止直接访问json文件

Question

Trying to deny to direct access to a json file, tried:

RewriteRule ^(api/|category\.json) - [F,L,NC]

but not working.

I used this file for an ajax call but i don't want anyone can access to this file directly.

$.ajax({
type: "POST",
dataType: 'json',
url: 'api/category.json',
success: function(data){
$.each(data, function(i,v) {
// do something
});

Wondering is there any method to do this? via htaccess or httpd.conf or etc?

Answer 1

AFAIK, if you can access the file with an HTTP GET command, which you'd have to do with the Ajax call, then you can also access the file and download it directly.

Sorry.

However, you can at least configure the Apache server to not allow direct indexing of that directory. Search for the "Options" directive in the httpd.conf file, and if it has an "Indexes" tag, either remove it or prepend a minus sign, eg,

Options -Indexes

That way, at least people won't know the file is there just by remotely perusing the directories.

You can "minimize" your Javascript file (the one containing your Ajax call) by removing all comments and whitespace. Search the web for tools that do this. Because, if somebody can read your Javascript, they can see exactly that your Ajax is fetching "api/category.json"; then of course they can too.

They still can read the "minimized" script anyway, plus there are tools to "de-minimize" it, but it may be enough trouble so that most people won't bother.

I'd suggest you try to avoid putting any really deep dark secrets in that file, because, bottom line, if your Ajax can fetch it, so can anybody else.