Horst Walter Horst Walter - 10 months ago 62
PHP Question

Usage restriction of public (PHP) web services

I have a public php site. It features JSON webservices, which I use for jQuery autocomplete. The web site is public, so are the webservices.

However, I want to restrict the webservices so they can only be called from the corresponding website (ie HTML pages loaded from that web site).

What would be a good solution for that?

Restriction in this context means:
My webservice (e.g.

) is public. As the user is not authenticated I wonder how I can check if it is called from a page of my site (e.g.

http://stackoverflow.com/a/38614140/356726 is a useful answer (+1), but only avoids AJAX usage from another browser. It does not prevent just reading the JSON result in the browser.


Here is what I did. As described in Pass request headers in a jQuery AJAX GET call it is possible to pass a request header to my Ajax request.

I check for this header value and deny access when it is not present. It is a minimal and by far not perfect means, but does its job. I have combined it with the recommended header ('Access-Control-Allow-Origin: yourdomain.com'); . In combination it seems to be sufficient for now.

  1. no cross domain AJAX access
  2. no browsing of JSON data by just entering the URL