I have a public php site. It features JSON webservices, which I use for jQuery autocomplete. The web site is public, so are the webservices.
However, I want to restrict the webservices so they can only be called from the corresponding website (ie HTML pages loaded from that web site).
What would be a good solution for that?
Restriction in this context means:
My webservice (e.g.
Here is what I did. As described in Pass request headers in a jQuery AJAX GET call it is possible to pass a request header to my Ajax request.
I check for this header value and deny access when it is not present. It is a minimal and by far not perfect means, but does its job. I have combined it with the recommended header
('Access-Control-Allow-Origin: yourdomain.com'); . In combination it seems to be sufficient for now.