How to prevent cross-domain ajax requests?

Question

How can I detect if my php script is being called from another domain and the other domain is making illegal use of my script? Is there a way to prevent this too?

<

Answer 1

You can manually deny every request whose Origin header does not match your domain name. However, not all browsers send the Origin header. In these cases, you can fallback to the Referer[sic] header, parse it and find out the domain name, and compare it as above.

Some JavaScript frameworks also set an X-Requested-With header for AJAX requests.

This should reject a significant percentage of users (I'd estimate >95%). Note that due to the Same-Origin Policy, the only thing the guy sending AJAX requests to your domain gets is timing information anyway.