How can I restrict access to some PHP pages only from pages within my website?

Question

I have in my website a PHP page which retrieves data from my database to be presented in my website. This page is called via AJAX. How can I restrict the access to it only f

Answer 1

JavaScript running on another site will be unable to access your site because of the Same-Origin Policy for XHR. But nothing is stopping someone from building a PHP+CURL script to "proxy" the data from your ajax backed to make it appear as though it was running on their server. Trying to blacklist clients is messy, ip address are cheap and free http proxies are plentiful.

In short there is nothing special about your javascript. A client can do whatever he wants, and you can't force him to behave, this is the basis of "client site trust". A hacker can use something like tamperdata or even firebug to identify HTTP requests and he will be able to replay them or forge them with CURL.

You could try obfuscating your javascript. But at the end of the day an attacker is just going to replay the http request, and there is absolutely thing you can do about it.