Making Ajax Calls Secure

What happens if a user looks at my JavaScript file, copies the content of a function and sends a request to my server using AJAX? And is there a way to properly protect against thi

Solution 1:

The way to protected against this is no different to the way you protected against any web request. You make it so that your site requires some form of authentication (i.e. users have to log in) and don't do thing if the request is not properly authenticated.

Typically, when you make an AJAX request, cookies are also sent along with the request so you should just be able to use the same authentication method that you use for your regular requests with your AJAX requests.

Solution 2:

As per codeka, there is no way to prevent someone from crafting their own Ajax query that is identical to the one you have in your Javascript request. Cross-domain protection will not necessarily protect you there, as they can, if they wished, just type the Javascript into the address bar for themselves while on a page on your site.

The only protection you have is to validate the input and parameters provided through the Ajax query on the server-side. Limit each PHP or Python or whatever response script to a very specific task, and check the input on the server-side. If something's wrong, respond with an error.

In short, there is no way to prevent someone from sending the request, but you can prevent them from doing something you don't want them to do on your server.

Solution 3:

Assuming that you need some form of authentication:

I guess you can maintain database session to validate if the request is coming from a genuine user for forged. Use encrypted cookies to store the session ID, and refer the cookie session ID to the database to validate the user