使用htaccess的拒绝阿贾克斯文件访问 [英] Deny ajax file access using htaccess
问题描述
有,我只使用AJAX的,我不希望用户直接从浏览器中运行这些脚本的一些脚本。我使用jQuery制作所有的Ajax调用和我把我所有的AJAX文件的文件夹命名为AJAX。
There are some scripts that I use only via ajax and I do not want the user to run these scripts directly from the browser. I use jQuery for making all ajax calls and I keep all of my ajax files in a folder named ajax.
所以,我希望能创建一个检查Ajax请求一个htaccess文件(HTTP_X_REQUESTED_WITH),并否认该文件夹中的所有其他请求。 (我知道,HTTP头可以伪造,但我想不出更好的解决方案)。我想这样的:
So, I was hoping to create an htaccess file which checks for ajax request (HTTP_X_REQUESTED_WITH) and deny all other requests in that folder. (I know that http header can be faked but I can not think of a better solution). I tried this:
的RewriteCond%{HTTP_X_REQUESTED_WITH} ^ $
的RewriteCond%{SERVER_URL} ^ /阿贾克斯/ 的.PHP $
重写规则^ * $ -
[F]
ReWriteCond %{HTTP_X_REQUESTED_WITH} ^$
ReWriteCond %{SERVER_URL} ^/ajax/.php$
ReWriteRule ^.*$ - [F]
但是,它不工作。我做错了什么?有没有达到类似的效果的任何其他方式。 (我不希望为您在每一个脚本头)。
But, it is not working. What I am doing wrong? Is there any other way to achieve similar results. (I do not want to check for the header in every script).
推荐答案
X-要求 - 以
的不是一个标准的 HTTP头。
您无法读取它的Apache在所有(既不是
的RewriteCond%{HTTP_X_REQUESTED_WITH}
也不由
%{HTTP:X-要求,随着}
),所以它不可能将其签入的.htaccess或同一个地方。 : - (
You can't read it in apache at all (neither by
ReWriteCond %{HTTP_X_REQUESTED_WITH}
nor by
%{HTTP:X-Requested-With}
), so its impossible to check it in .htaccess or same place. :-(
它在脚本(如PHP)刚刚访问,但你说你不希望包括在所有的,因为文件数量的脚本的php文件。
Its just accessible in the script (eg. php), but you said you don't want to include a php file in all of your scripts because of number of files.
- 但是...有一个简单的技巧来解决这个问题: - )
AUTO_ prepend_file
指定在主文件之前自动解析的文件名。你可以用它来自动包括一个检查脚本。
auto_prepend_file
specifies the name of a file that is automatically parsed before the main file. You can use it to include a "checker" script automatically.
因此,创建一个的.htaccess
在AJAX文件夹
So create a .htaccess
in ajax folder
php_value auto_prepend_file check.php
和创造 check.php
为你想要的:
<?
if( !@$_SERVER["HTTP_X_REQUESTED_WITH"] ){
header('HTTP/1.1 403 Forbidden');
exit;
}
?>
只要你想你可以自定义它。
You can customize it as you want.
这篇关于使用htaccess的拒绝阿贾克斯文件访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!