[英]Deny ajax file access using htaccess
There are some scripts that I use only via ajax and I do not want the user to run these scripts directly from the browser. 我只使用ajax使用了一些脚本,我不希望用户直接从浏览器运行这些脚本。 I use jQuery for making all ajax calls and I keep all of my ajax files in a folder named ajax.
我使用jQuery进行所有ajax调用,并将所有ajax文件保存在名为ajax的文件夹中。
So, I was hoping to create an htaccess file which checks for ajax request (HTTP_X_REQUESTED_WITH) and deny all other requests in that folder. 所以,我希望创建一个htaccess文件来检查ajax请求(HTTP_X_REQUESTED_WITH)并拒绝该文件夹中的所有其他请求。 (I know that http header can be faked but I can not think of a better solution).
(我知道http标头可以伪造,但我想不出更好的解决方案)。 I tried this:
我试过这个:
ReWriteCond %{HTTP_X_REQUESTED_WITH} ^$
ReWriteCond%{HTTP_X_REQUESTED_WITH} ^ $
ReWriteCond %{SERVER_URL} ^ /ajax/ .php$ReWriteCond%{SERVER_URL} ^ / ajax / .php $
ReWriteRule ^.*$ - [F]ReWriteRule ^。* $ - [F]
But, it is not working. 但是,它不起作用。 What I am doing wrong?
我做错了什么? Is there any other way to achieve similar results.
有没有其他方法可以达到类似的结果。 (I do not want to check for the header in every script).
(我不想在每个脚本中检查标题)。
X-Requested-With
in not a standard HTTP Header . X-Requested-With
不是标准的HTTP标头 。
You can't read it in apache at all (neither by ReWriteCond %{HTTP_X_REQUESTED_WITH}
nor by %{HTTP:X-Requested-With}
), so its impossible to check it in .htaccess or same place. 您根本无法在apache中读取它(无论是
ReWriteCond %{HTTP_X_REQUESTED_WITH}
还是%{HTTP:X-Requested-With}
),因此无法在.htaccess或同一位置检查它。 :-( :-(
Its just accessible in the script (eg. php), but you said you don't want to include a php file in all of your scripts because of number of files. 它只是在脚本中可访问(例如php),但是你说你不希望因为文件数量而在所有脚本中都包含一个php文件。
auto_prepend_file
specifies the name of a file that is automatically parsed before the main file. auto_prepend_file
指定在主文件之前自动解析的文件的名称。 You can use it to include a "checker" script automatically. 您可以使用它自动包含“检查器”脚本。
So create a .htaccess
in ajax folder 所以在ajax文件夹中创建一个
.htaccess
php_value auto_prepend_file check.php
and create check.php
as you want: 并根据需要创建
check.php
:
<?
if( !@$_SERVER["HTTP_X_REQUESTED_WITH"] ){
header('HTTP/1.1 403 Forbidden');
exit;
}
?>
You can customize it as you want. 您可以根据需要自定义它。
I'm assuming you have all your AJAX scripts in a directory ajax, because you refer to ^/ajax/.php$ in your non-working example. 我假设您在ajax目录中拥有所有AJAX脚本,因为您在非工作示例中引用了^ / ajax / .php $。
In this folder /ajax/
place a .htaccess
file with this content: 在此文件夹
/ajax/
放置一个包含此内容的.htaccess
文件:
SetEnvIfNoCase X-Requested-With XMLHttpRequest ajax
Order Deny,Allow
Deny from all
Allow from env=ajax
What this does is deny any request without the XMLHttpRequest header. 这样做是在没有XMLHttpRequest标头的情况下拒绝任何请求。
There are only a few predefined HTTP_* variables mapping to HTTP headers that you can use in a RewriteCond. 只有少数预定义的HTTP_ *变量映射到可以在RewriteCond中使用的HTTP头。 For any other HTTP headers, you need to use a %{HTTP:header} variable.
对于任何其他HTTP标头,您需要使用%{HTTP:header}变量。
Just change 只是改变
ReWriteCond %{HTTP_X_REQUESTED_WITH} ^$
To: 至:
ReWriteCond %{HTTP:X-Requested-With} ^$
Just check for if($_SERVER['HTTP_X_REQUESTED_WITH']=='XMLHttpRequest'){
at the beginning of the document, if it's not set, then don't return anything. 只需检查
if($_SERVER['HTTP_X_REQUESTED_WITH']=='XMLHttpRequest'){
在文档的开头,如果未设置,则不返回任何内容。
edit Here's why: http://github.com/jquery/jquery/blob/master/src/ajax.js#L370 编辑原因如下: http : //github.com/jquery/jquery/blob/master/src/ajax.js#L370
edit 2 My bad, just read through your post again. 编辑2我的不好,只需再次阅读你的帖子。 You can alternatively make a folder inaccessible to the web and then just have a standard ajax.php file that has
include('./private/scripts.php')
as your server will still be able to access it, but no one will be able to view from their browser. 您也可以让网络无法访问文件夹,然后只有一个标准的ajax.php文件,其中
include('./private/scripts.php')
因为您的服务器仍然可以访问它,但没有人会能够从他们的浏览器查看。
使用.htaccess的另一种方法是使用$ _SERVER ['HTTP_REFERER']变量来测试是从页面访问脚本,而不是从其他站点访问等。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.