I have .html, which from within the HTML uses JavaScript (XmlHttpRequest) to call a web services at /?a=...&b=...

The web service returns to index.html a JSON array of information to then be displayed on index.html.

Since anyone can view the source code for index.html and see how I'm calling the JSON web service (/), how do I prevent people from calling my JSON web service directly?

Since the web service is essentially an open read into my database, I don't want people to abuse the web service and start fetching data directly from the web service, start DoS my server, fetching more information than they should, etc..

UPDATE:

Is there no way to limit requests for / to only e from the same server (IP) and URL request of .html?

Meaning, can't / detect that the Requester is ($_SERVER['REQUEST_URI'] == .html) and only allow that?

I have http://example./index.html, which from within the HTML uses JavaScript (XmlHttpRequest) to call a web services at http://example./json/?a=...&b=...

The web service returns to index.html a JSON array of information to then be displayed on index.html.

Since anyone can view the source code for index.html and see how I'm calling the JSON web service (http://example./json/), how do I prevent people from calling my JSON web service directly?

Since the web service is essentially an open read into my database, I don't want people to abuse the web service and start fetching data directly from the web service, start DoS my server, fetching more information than they should, etc..

UPDATE:

Is there no way to limit requests for http://example./json/ to only e from the same server (IP) and URL request of http://example./index.html?

Meaning, can't http://example./json/ detect that the Requester is ($_SERVER['REQUEST_URI'] == http://example./index.html) and only allow that?

• javascript
• web-services
• security

• 2 Umm, hello? This is exactly your question that we're already answering over here: stackoverflow./questions/2576734/… – Matchu Commented Apr 5, 2010 at 13:46
• @Matchu, it's similar but not the same (as even noted by Joshua Smith's ment on the linked StackOverflow post) – Hank Commented Apr 5, 2010 at 13:52
• "How to prevent direct access to my JSON service" == "how do I prevent people from calling my JSON web service directly?". I did note that this time you gave the rationale, which means we can actually give you reasonable alternative solutions, but it's still the same question. – Matchu Commented Apr 5, 2010 at 13:58
• $_SERVER['HTTP_REFERRER'] is what you are looking for, but it's useless for preventing DoS since it can be easily faked. Same applies for X-Requested-With header as I wrote below. It's important to understand that every countermeasure relying on client side operation can always be circumvented, since client can be never trusted. – jholster Commented Apr 5, 2010 at 15:38
• By using one-time token (CSRF protection) you can force the user to load your index.html (or whatever) before accessing JSON url, but again, it does not prevent DoS. – jholster Commented Apr 5, 2010 at 15:40

5 Answers 5

There are no easy way to prevent that. If your service isn't extremely popular and thus being likely target for denial of service attacks, I wouldn't bother.

One thing which came into my mind is using disposable tokens (valid for 10 or 100 requests).

Other (naive) approach is checking that X-Requested-With header exists in request, but of course that can be easily faked. So, my advice is: do nothing unless the problem is real.

One more idea: hash calc. The idea is to require client performing rather expensive calculation per every request, while validating the calculation in server side is cheap. For a single request the overhead is very small, but say for 1000 requests it may take significant amount of CPU time. I have no idea if hashcalc has been used to prevent DoS'ing web services. Some years ago it was proposed as antispam measure, but never became popular.

Answer is really simple, use CSRF protection. http://en.wikipedia/wiki/Cross-site_request_forgery

Simply, when user es to your site (index.php), put in session: CSRF=(RANDOM_HASH)

Ask for JSON request, example./json.php?hash=$_SESSION['CSRF']

And in json.php check if $_GET['hash'] matches $_SESSION['CSRF']

Simple as that... It's Server-Side solution!

I would keep track of the IP addresses making the requests. If you ever saw a large number of requests ing from the same IP, you could block it or offer a CAPTCHA.

There are a wide array of things you can do to add security to your service. Check this out

You can't properly secure a web-service that is callable from client-side javascript.

You can try security through obscurity techniques like javascript obfuscation, but it won't stop someone motivated.