Please could I request for your advise on the following problem:
关于以下问题,我可以要求您的意见吗?
I'd like to restrict access to a web folder through the Web URL (I understand that this could be done using .htaccess). However, my concern is that I'd also like the code files in this folder to be accessible to AJAX calls.
我希望通过web URL限制对web文件夹的访问(我理解可以使用.htaccess实现这一点)。但是,我担心的是,我还希望这个文件夹中的代码文件能够被AJAX调用访问。
Reference question: deny direct access to a folder and file by htaccess
引用问题:拒绝htaccess直接访问文件夹和文件
Is it therefore correct to assume that any access allow/deny rule in .htaccess is automatically applicable to AJAX calls as well (since they're based on URLs)? And if so, what could be the best way to let the server access mechanism know that it's some "code" that is trying to communicate with it?
因此,假设.htaccess中的任何访问允许/拒绝规则都自动适用于AJAX调用是否正确(因为它们基于url)?如果是这样的话,让服务器访问机制知道有一些“代码”正在尝试与它通信的最好方法是什么呢?
Please do let me know if I could provide any clarifications or additional details. Thanks a lot!
请让我知道,如果我能提供任何澄清或其他细节。谢谢!
2 个解决方案
#1
2
You can do so based on HTTP_REFERER, put this code in your DOCUMENT_ROOT/.htaccess file::
您可以基于HTTP_REFERER来实现这一点,将这些代码放到DOCUMENT_ROOT/中。htaccess::
RewriteEngine On
## disable direct access
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.com/ [NC]
RewriteRule ^somefolder - [F,NC]
Though I must add that HTTP_REFERER based check is not very strong and it can be easily spoofed.
尽管我必须添加基于HTTP_REFERER的检查不是很强大,它很容易被欺骗。
#2
1
You should implement an authentication mecanism based on sessions.
您应该实现基于会话的身份验证mecanism。
- In your application, the user logs in.
- 在应用程序中,用户登录。
- In your ajax files, you test if the user is authenticated, and if he's not, you return a
403 Forbiddenheader. - 在ajax文件中,测试用户是否通过了身份验证,如果用户没有通过身份验证,则返回一个403禁止的头。
You could also send a custom header with ajax, and test in your ajax files or with .htaccess, if it is present. But this is less secure than authentication, because someone could forge the request.
您还可以使用ajax发送自定义头,并在ajax文件或.htaccess中进行测试(如果存在的话)。但这不如身份验证安全,因为有人可能伪造请求。
#1
2
You can do so based on HTTP_REFERER, put this code in your DOCUMENT_ROOT/.htaccess file::
您可以基于HTTP_REFERER来实现这一点,将这些代码放到DOCUMENT_ROOT/中。htaccess::
RewriteEngine On
## disable direct access
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.com/ [NC]
RewriteRule ^somefolder - [F,NC]
Though I must add that HTTP_REFERER based check is not very strong and it can be easily spoofed.
尽管我必须添加基于HTTP_REFERER的检查不是很强大,它很容易被欺骗。
#2
1
You should implement an authentication mecanism based on sessions.
您应该实现基于会话的身份验证mecanism。
- In your application, the user logs in.
- 在应用程序中,用户登录。
- In your ajax files, you test if the user is authenticated, and if he's not, you return a
403 Forbiddenheader. - 在ajax文件中,测试用户是否通过了身份验证,如果用户没有通过身份验证,则返回一个403禁止的头。
You could also send a custom header with ajax, and test in your ajax files or with .htaccess, if it is present. But this is less secure than authentication, because someone could forge the request.
您还可以使用ajax发送自定义头,并在ajax文件或.htaccess中进行测试(如果存在的话)。但这不如身份验证安全,因为有人可能伪造请求。