Lacrifilm Lacrifilm - 1 month ago 5
Ajax Question

Deny external access to php files

My platform uses

AJAX
to make communication with internal structure (API's and others). All
AJAX
requests are sent to a single file called
globalAPI.php
(POST Method) and there he communicates with other php files (this was done to hide the internal structure).

Assuming a user discovered how it works and make a request starting from his server. We can conclude that it would generate results without even being logged in my platform.

So how can you protect this file to external access?

I believe I could use a
.htaccess
file with
Allow from 127.0.0.1
, but what if the user change his ip to
127.0.0.1
, he would have access to this file?

Have another way to protect this file?

Answer

You should implement an authentication system in all your API calls if you want to restrict their access.

Basically, you cannot prevent a user from opening the Network tab from the Devtools and watching the requests that your client makes to the server API: an advanced user can see the parameters sent at each request and resend the request with the same or different parameters.

If this file is accessible through AJAX, it is accessible for the client anyway: what you have to do is make sure that the user cannot access more things than the AJAX calls allow him. To do that, secure your API, e.g. requesting a user token for every call: the server would know which user accesses the API and you can handle authorization from that point.