blocks|key|3028593|text|只需检查文档开头的if($_SERVER['HTTP_X_REQUESTED_WITH']=='XMLHttpRequest'){，如果未设置，则不返回任何内容。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|3028594|编辑原因如下：http://github.com/jquery/jquery/blob/master/src/ajax.js#L370|BOLD|3028595|edit+2+My+bad，再读一遍你的帖子吧。你也可以让网络无法访问一个文件夹，然后只有一个以include('./private/scripts.php')为服务器的标准ajax.php文件，仍然可以访问它，但没有人能够从他们的浏览器中查看。|3028596|entityMap|0|LINK|mutability|MUTABLE|url|http://github.com/jquery/jquery/blob/master/src/ajax.js#L370^0|9|1K|0|0|2|7|1O|0|0|0|6|1C|W|0^^$0|@$1|2|3|4|5|6|7|S|8|@$9|T|A|U|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|V|8|@$9|W|A|X|B|H]]|D|@$9|Y|A|Z|1|10]]|E|$]]|$1|I|3|J|5|6|7|11|8|@$9|12|A|13|B|H]|$9|14|A|15|B|C]]|D|@]|E|$]]|$1|K|3|-4|5|6|7|16|8|@]|D|@]|E|$]]]|L|$M|$5|N|O|P|E|$Q|R]]]]

Just check for <code>if($_SERVER['HTTP_X_REQUESTED_WITH']=='XMLHttpRequest'){</code> at the beginning of the document, if it's not set, then don't return anything.

edit
Here's why: <a href="http://github.com/jquery/jquery/blob/master/src/ajax.js#L370" rel="nofollow noreferrer">http://github.com/jquery/jquery/blob/master/src/ajax.js#L370</a>

edit 2
My bad, just read through your post again. You can alternatively make a folder inaccessible to the web and then just have a standard ajax.php file that has <code>include('./private/scripts.php')</code> as your server will still be able to access it, but no one will be able to view from their browser.

blocks|key|300843|text|只有几个预定义的HTTP_*变量映射到HTTP头，可以在RewriteCond中使用。对于任何其他HTTP标头，您需要使用%25{HTTP:header}变量。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|300844|只要改变就好|300845|ReWriteCond+%25{HTTP_X_REQUESTED_WITH}+%5E$|code-block|syntax|javascript|300846|至：|300847|ReWriteCond+%25{HTTP:X-Requested-With}+%5E$|300848|entityMap^0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|O|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|P|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|Q|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|R|8|@]|9|@]|A|$]]|$1|K|3|L|5|F|7|S|8|@]|9|@]|A|$G|H]]|$1|M|3|-4|5|6|7|T|8|@]|9|@]|A|$]]]|N|$]]

There are only a few predefined HTTP_* variables mapping to HTTP headers that you can use in a RewriteCond. For any other HTTP headers, you need to use a %{HTTP:header} variable.

Just change

<pre><code>ReWriteCond %{HTTP_X_REQUESTED_WITH} ^$
</code></pre>

To:

<pre><code>ReWriteCond %{HTTP:X-Requested-With} ^$
</code></pre>

blocks|key|303087|text|使用.htaccess的另一种选择是使用$_SERVER‘’HTTP_REFERER‘变量来测试脚本是否从您的页面访问，而不是从另一个站点访问，等等。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|303088|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

An alternative to using .htaccess is to use the $_SERVER['HTTP_REFERER'] variable to test that the script is being accessed from your page, rather than from another site, etc.

blocks|key|303090|text|我假设您的所有ajax脚本都在一个目录AJAX中，因为您在不起作用的示例中引用了%5E/ajax/.php$。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|303091|在此文件夹/ajax/中放置一个包含以下内容的.htaccess文件：|offset|length|style|CODE|303092|SetEnvIfNoCase+X-Requested-With+XMLHttpRequest+ajax
Order+Deny,Allow
Deny+from+all
Allow+from+env=ajax|code-block|syntax|javascript|303093|这样做的目的是拒绝任何没有XMLHttpRequest头的请求。|303094|entityMap^0|0|5|6|N|9|0|0|0^^$0|@$1|2|3|4|5|6|7|Q|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|R|8|@$D|S|E|T|F|G]|$D|U|E|V|F|G]]|9|@]|A|$]]|$1|H|3|I|5|J|7|W|8|@]|9|@]|A|$K|L]]|$1|M|3|N|5|6|7|X|8|@]|9|@]|A|$]]|$1|O|3|-4|5|6|7|Y|8|@]|9|@]|A|$]]]|P|$]]

I'm assuming you have all your AJAX scripts in a directory ajax, because you refer to ^/ajax/.php$ in your non-working example.

In this folder <code>/ajax/</code> place a <code>.htaccess</code> file with this content:

<pre><code>SetEnvIfNoCase X-Requested-With XMLHttpRequest ajax
Order Deny,Allow
Deny from all
Allow from env=ajax
</code></pre>

What this does is deny any request without the XMLHttpRequest header.

blocks|key|297976|text|缺点:阿帕奇:-(|type|unstyled|depth|inlineStyleRanges|entityRanges|data|297977|非标准HTTP+Header中的X-Requested-With。|offset|length|style|CODE|297978|你根本不能在apache中读取它(既不能通过ReWriteCond+%25{HTTP_X_REQUESTED_WITH}也不能通过%25{HTTP:X-Requested-With})，所以不可能在.htaccess或相同的地方检查它。:-(|297979|丑女:脚本:-(|297980|它只在脚本中可访问(例如，php)，但是你说你不想在所有的脚本中都包含一个php文件，因为文件太多了。|297981|优点:+auto_prepend_file+:-)|297982|297983|但是...有一个简单的技巧可以解决这个问题:-)|unordered-list-item|297984|297985|auto_prepend_file指定在主文件之前自动解析的文件的名称。您可以使用它自动包含一个"checker“脚本。|297986|因此在ajax文件夹中创建一个.htaccess|297987|php_value+auto_prepend_file+check.php|code-block|syntax|javascript|297988|并创建您想要的check.php：|297989|<?
if(+!@$_SERVER["HTTP_X_REQUESTED_WITH"]+){
++++++++header('HTTP/1.1+403+Forbidden');
++++++++exit;
}
?>|297990|您可以根据需要对其进行自定义。|297991|entityMap|0|LINK|mutability|MUTABLE|url|http://en.wikipedia.org/wiki/List_of_HTTP_header_fields^0|0|G|G|3|B|0|0|M|10|1R|O|0|0|0|0|0|0|0|0|H|0|F|9|0|0|7|9|0|0|0^^$0|@$1|2|3|4|5|6|7|1H|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|1I|8|@$D|1J|E|1K|F|G]]|9|@$D|1L|E|1M|1|1N]]|A|$]]|$1|H|3|I|5|6|7|1O|8|@$D|1P|E|1Q|F|G]|$D|1R|E|1S|F|G]]|9|@]|A|$]]|$1|J|3|K|5|6|7|1T|8|@]|9|@]|A|$]]|$1|L|3|M|5|6|7|1U|8|@]|9|@]|A|$]]|$1|N|3|O|5|6|7|1V|8|@]|9|@]|A|$]]|$1|P|3|-4|5|6|7|1W|8|@]|9|@]|A|$]]|$1|Q|3|R|5|S|7|1X|8|@]|9|@]|A|$]]|$1|T|3|-4|5|6|7|1Y|8|@]|9|@]|A|$]]|$1|U|3|V|5|6|7|1Z|8|@$D|20|E|21|F|G]]|9|@]|A|$]]|$1|W|3|X|5|6|7|22|8|@$D|23|E|24|F|G]]|9|@]|A|$]]|$1|Y|3|Z|5|10|7|25|8|@]|9|@]|A|$11|12]]|$1|13|3|14|5|6|7|26|8|@$D|27|E|28|F|G]]|9|@]|A|$]]|$1|15|3|16|5|10|7|29|8|@]|9|@]|A|$11|12]]|$1|17|3|18|5|6|7|2A|8|@]|9|@]|A|$]]|$1|19|3|-4|5|6|7|2B|8|@]|9|@]|A|$]]]|1A|$1B|$5|1C|1D|1E|A|$1F|1G]]]]

<h2>The Bad: Apache :-(</h2>

<code>X-Requested-With</code> in not a standard <a href="http://en.wikipedia.org/wiki/List_of_HTTP_header_fields" rel="noreferrer">HTTP Header</a>.

You can't read it in apache at all (neither by 
<code>ReWriteCond %{HTTP_X_REQUESTED_WITH}</code>
nor by
<code>%{HTTP:X-Requested-With}</code>), so its impossible to check it in .htaccess or same place. :-(

<h2>The Ugly: Script :-(</h2>

Its just accessible in the script (eg. php), but you said you don't want to include a php file in all of your scripts because of number of files.

<h2>The Good: auto_prepend_file :-)</h2>

<ul>
<li>But ... there's a simple trick to solve it :-)</li>
</ul>

<code>auto_prepend_file</code> specifies the name of a file that is automatically parsed before the main file. You can use it to include a "checker" script automatically.

So create a <code>.htaccess</code> in ajax folder

<pre><code>php_value auto_prepend_file check.php
</code></pre>

and create <code>check.php</code> as you want:

<pre><code>&lt;?
if( !@$_SERVER["HTTP_X_REQUESTED_WITH"] ){
 header('HTTP/1.1 403 Forbidden');
 exit;
}
?&gt;
</code></pre>

You can customize it as you want.

There are some scripts that I use only via ajax and I do not want the user to run these scripts directly from the browser. I use jQuery for making all ajax calls and I keep all of my ajax files in a folder named ajax. 

So, I was hoping to create an htaccess file which checks for ajax request (HTTP_X_REQUESTED_WITH) and deny all other requests in that folder. (I know that http header can be faked but I can not think of a better solution). I tried this:

<blockquote>
 ReWriteCond %{HTTP_X_REQUESTED_WITH} ^$ 
 ReWriteCond %{SERVER_URL} ^/ajax/.php$ 
 ReWriteRule ^.*$ -
 [F]
</blockquote>

But, it is not working. What I am doing wrong? Is there any other way to achieve similar results. (I do not want to check for the header in every script).

Deny ajax file access using htaccess

服务器

jQuery

有一些脚本我只通过ajax使用，我不希望用户直接从浏览器运行这些脚本。我使用jQuery进行所有ajax调用，并将所有ajax文件保存在一个名为ajax的文件夹中。因此，我希望创建一个htaccess文件来检查ajax请求(HTTP_X_REQUESTED_WITH)，并拒绝该文件夹中的所有其他请求。(我知道http报...

问使用htaccess拒绝ajax文件访问
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问使用htaccess拒绝ajax文件访问EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问使用htaccess拒绝ajax文件访问
EN