Detecting Ajax in PHP and making sure request was from my own website

Question

I use my PHP back-end to detect AJAX requests by checking for a value in $_SERVER['HTTP_X_REQUESTED_WITH'].

This gives me a reliable detection, making sure the request is made utilizing AJAX techniques.

How can I make sure the request came from my own domain, and not an external domain/robot?

www.example.com/ajax?true could allow anyone to make an AJAX call and cut the information.

I could make sessions for everyone that enters my website normally, and then allow AJAX calls.. but that can be faked too.

Does it even matter these days?

Answer 1

Let you Controller

• generate access token
• store in session for later comparison

In your View

• declare the access token as JS variable
• send the token with each request

Back in your Controller

• validate HTTP_X_REQUESTED_WITH
• validate token

Check these security guidelines from OpenAjax.
Also, read the article on codinghorror.com Annie linked.