Secure Ajax Get/post Request For Server

suppose I work with some kind of API and my file server.php handles the connection to the API service. on my client side I use AJAX call like this: $http({ url : 'server/s

Solution 1:

I guess you are concerned about CSRF attacks. Read more about this here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

One of the mostly used option to secure your request will be: - Generate a token and send it with the request for a session. This token can be identified by your WebServer as originating from a specific client for a specific session

Solution 2:

i just wonder what prevents any one send AJAX call with the same getContent parameter and get all my data?

Nothing. This URL is public thus anyone can make requests to it.

how can i secure it and make sure only calls from my application will get the relevant data back?

You can pass additional data (for example, some hashed value) that is verified on the server side.

$http({
     url : 'server/server.php',
     method : 'GET',
     data : { getContent : true, hash : '0800fc577294c34e0b28ad2839435945' }
 });

and

if(isset($_GET['getContent']))
{
    if(isset($_GET['hash']) && validateHash($_GET['hash']))
    {
        $content = get_content();
    }
}

functionget_content(){...}

Solution 3:

i just wonder what prevents any one send AJAX call with the same getContent parameter and get all my data?

The same way you would protect the data in any other request (e.g. with user authentication). There's nothing special about Ajax in regards to HTTP as far as the server is concerned.

how can i secure it and make sure only calls from my application will get the relevant data back?

You can't. The user can always inspect what their browser is asking the server for and replicate it.

Generally, people authenticate users rather than applications.