Prevent external access to PHP scripts but allow AJAX

Question

I\'ve read a lot about .htaccess rules, checking headers, using encryption etc.. but I haven\'t found exactly the answer I\'m after. I know that assuming the server is set up ri

Answer 1

There is NO way absolutely to safely/reliably identify which part of the browser the request comes from -- address bar, AJAX. There's a way to identify what is sending though browser/curl/etc via User-Agent header (but not reliably)

A quick but a lot less reliable solution would be to check for the following header. Most browsers attach it with AJAX calls. Be sure to thoroughly look into it, and implement.

X-Requested-With: XMLHttpRequest

NOTE: Do not trust the client if the resource is cruicial. You are better off implementing some other means of access filtering. Remember, any one can fake headers!