堆栈内存溢出
  简体   繁体   English

使用htaccess拒绝ajax文件访问

[英]Deny ajax file access using htaccess

 原文  2010-08-12 10:42:43       php/ jquery/ apache/ .htaccess

问题描述

There are some scripts that I use only via ajax and I do not want the user to run these scripts directly from the browser. 我只使用ajax使用了一些脚本,我不希望用户直接从浏览器运行这些脚本。 I use jQuery for making all ajax calls and I keep all of my ajax files in a folder named ajax. 我使用jQuery进行所有ajax调用,并将所有ajax文件保存在名为ajax的文件夹中。

So, I was hoping to create an htaccess file which checks for ajax request (HTTP_X_REQUESTED_WITH) and deny all other requests in that folder. 所以,我希望创建一个htaccess文件来检查ajax请求(HTTP_X_REQUESTED_WITH)并拒绝该文件夹中的所有其他请求。 (I know that http header can be faked but I can not think of a better solution). (我知道http标头可以伪造,但我想不出更好的解决方案)。 I tried this: 我试过这个:

ReWriteCond %{HTTP_X_REQUESTED_WITH} ^$ ReWriteCond%{HTTP_X_REQUESTED_WITH} ^ $
ReWriteCond %{SERVER_URL} ^ /ajax/ .php$ ReWriteCond%{SERVER_URL} ^ / ajax / .php $
ReWriteRule ^.*$ - [F] ReWriteRule ^。* $ - [F]

But, it is not working. 但是,它不起作用。 What I am doing wrong? 我做错了什么? Is there any other way to achieve similar results. 有没有其他方法可以达到类似的结果。 (I do not want to check for the header in every script). (我不想在每个脚本中检查标题)。

5 个解决方案

解决方案1
 25 已采纳  2010-12-19 16:26:48

The Bad: Apache :-( 坏:阿帕奇:-(

X-Requested-With in not a standard HTTP Header . X-Requested-With不是标准的HTTP标头

You can't read it in apache at all (neither by ReWriteCond %{HTTP_X_REQUESTED_WITH} nor by %{HTTP:X-Requested-With} ), so its impossible to check it in .htaccess or same place. 您根本无法在apache中读取它(无论是ReWriteCond %{HTTP_X_REQUESTED_WITH}还是%{HTTP:X-Requested-With} ),因此无法在.htaccess或同一位置检查它。 :-( :-(

The Ugly: Script :-( 丑陋的:脚本:-(

Its just accessible in the script (eg. php), but you said you don't want to include a php file in all of your scripts because of number of files. 它只是在脚本中可访问(例如php),但是你说你不希望因为文件数量而在所有脚本中都包含一个php文件。

The Good: auto_prepend_file :-) 好:auto_prepend_file :-)

  • But ... there's a simple trick to solve it :-) 但是......有一个简单的方法可以解决它:-)

auto_prepend_file specifies the name of a file that is automatically parsed before the main file. auto_prepend_file指定在主文件之前自动解析的文件的名称。 You can use it to include a "checker" script automatically. 您可以使用它自动包含“检查器”脚本。

So create a .htaccess in ajax folder 所以在ajax文件夹中创建一个.htaccess 

php_value auto_prepend_file check.php

and create check.php as you want: 并根据需要创建check.php 

<?
if( !@$_SERVER["HTTP_X_REQUESTED_WITH"] ){
        header('HTTP/1.1 403 Forbidden');
        exit;
}
?>

You can customize it as you want. 您可以根据需要自定义它。

解决方案2
 16  2010-12-17 08:16:28

I'm assuming you have all your AJAX scripts in a directory ajax, because you refer to ^/ajax/.php$ in your non-working example. 我假设您在ajax目录中拥有所有AJAX脚本,因为您在非工作示例中引用了^ / ajax / .php $。

In this folder /ajax/ place a .htaccess file with this content: 在此文件夹/ajax/放置一个包含此内容的.htaccess文件: 

SetEnvIfNoCase X-Requested-With XMLHttpRequest ajax
Order Deny,Allow
Deny from all
Allow from env=ajax

What this does is deny any request without the XMLHttpRequest header. 这样做是在没有XMLHttpRequest标头的情况下拒绝任何请求。

解决方案3
 1  2010-12-14 17:19:15

There are only a few predefined HTTP_* variables mapping to HTTP headers that you can use in a RewriteCond. 只有少数预定义的HTTP_ *变量映射到可以在RewriteCond中使用的HTTP头。 For any other HTTP headers, you need to use a %{HTTP:header} variable. 对于任何其他HTTP标头,您需要使用%{HTTP:header}变量。

Just change 只是改变 

ReWriteCond %{HTTP_X_REQUESTED_WITH} ^$

To: 至: 

ReWriteCond %{HTTP:X-Requested-With} ^$

解决方案4
 0  2010-08-12 10:45:59

Just check for if($_SERVER['HTTP_X_REQUESTED_WITH']=='XMLHttpRequest'){ at the beginning of the document, if it's not set, then don't return anything. 只需检查if($_SERVER['HTTP_X_REQUESTED_WITH']=='XMLHttpRequest'){在文档的开头,如果未设置,则不返回任何内容。

edit Here's why: http://github.com/jquery/jquery/blob/master/src/ajax.js#L370 编辑原因如下: http//github.com/jquery/jquery/blob/master/src/ajax.js#L370

edit 2 My bad, just read through your post again. 编辑2我的不好,只需再次阅读你的帖子。 You can alternatively make a folder inaccessible to the web and then just have a standard ajax.php file that has include('./private/scripts.php') as your server will still be able to access it, but no one will be able to view from their browser. 您也可以让网络无法访问文件夹,然后只有一个标准的ajax.php文件,其中include('./private/scripts.php')因为您的服务器仍然可以访问它,但没有人会能够从他们的浏览器查看。

解决方案5
 0  2010-12-15 19:56:32

使用.htaccess的另一种方法是使用$ _SERVER ['HTTP_REFERER']变量来测试是从页面访问脚本,而不是从其他站点访问等。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 修改.htaccess以拒绝访问文件夹,但是仅允许使用ajax从我的站点访问特定文件 - Modify .htaccess to deny access into folder, but allow access only from my site using ajax to specific files 如果不存在$ _POST,htaccess拒绝访问文件吗? - htaccess deny access to file if no $_POST exist? 拒绝通过htaccess直接访问文件夹和文件 - deny direct access to a folder and file by htaccess 拒绝访问 .htaccess 中的 .ini 文件是否安全? - Is it safe to deny access to .ini file in .htaccess? 使用htaccess和PHP拒绝目录和文件访问 - Deny directory and file access with both htaccess and PHP 拒绝使用htaccess直接访问文件 - Deny direct access to files using htaccess 使用.htaccess拒绝访问子文件夹和文件 - Deny access to subfolders and files using .htaccess 如何使用htaccess拒绝文件的用户访问,而不拒绝使用该文件的插件的访问? - How to deny access to users for a file but not to the plugin which uses the file using htaccess? .htaccess拒绝目录访问 - .htaccess to deny directory access 使用.htaccess拒绝输入 - Deny entry using .htaccess
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM