htaccess - 防止人们直接访问特定文件

发布于 2024-10-27 04:01:28 字数 143 浏览 5 评论 0原文

我正在通过ajax加载特定文件,但是如何真正阻止人们直接访问这些文件呢?

顺便说一句,所有这些特定文件都位于: /ajax/ 目录

这只适用于 .htaccess 吗?如果是的话,怎么办?

I am loading specific files through ajax, but how do I actually prevent people from accessing these files directly?

BTW, all these specific files are located in: /ajax/ directory

Would that only work with .htaccess? And if yes, how?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

哭泣的笑容 2024-11-03 04:01:28

我正在通过ajax加载特定文件,但是如何真正阻止人们直接访问这些文件?

你不能可靠。服务器无法区分 Ajax 调用和任何其他调用。

然而,有一些迹象通常表明该调用是 Ajax 调用。 (请记住,这一切都可以由客户端随时伪造。)它们在这个问题中进行了讨论:如何区分 Ajax 请求和普通 Http 请求?

I am loading specific files through ajax, but how do I actually prevent people from accessing these files directly?

You can't reliably. The server can't distinguish an Ajax call from any other call.

However, there are some telltale signs that usually point towards a call being an Ajax call. (Remember, this can all be faked by a client at any time.) They are discussed in this question: How to differentiate Ajax requests from normal Http requests?

绻影浮沉 2024-11-03 04:01:28

您可以尝试检查引荐来源网址,如果没有,则为直接访问。这并不是万无一失的,因为推荐人可能是伪造的。

You could try to check the referrer and if there is none then it's a direct access. This is not bullet proof cause the referrer can be faked.

握住你手 2024-11-03 04:01:28

你不能,至少不能以可靠的方式。如果浏览器可以使用 AJAX 调用访问此文件,则可以访问它们。

您可以做一些黑客的事情,例如在 AJAX 调用中设置特殊的标头并在服务器中检查它们,但这很容易被伪造。 Referer 检查也是如此。

如果您需要某种访问控制,则必须使用服务器端代码来验证请求。由于 AJAX 请求来自浏览器,因此它们将携带域 cookie(如果已设置),因此您可以检查用户是否已登录。或者仅返回用户应该能够看到的数据。

请记住:如果数据可以通过客户端代码访问,则攻击者始终可以访问数据。绝对没有办法阻止这种情况。

You can't, a least not in a reliable way. If the browser can access this files using an AJAX call, they can be accessed.

You could do some hacky things like settings a special Header in you AJAX calls and check them in the server but this can easily be forged. The same goes for Referer checks.

If you need some kind of access control you must use server-side side code to authenticate the request. Since the AJAX-Request are coming from the browser they will carry the domain cookies (if set) so you could i.e. check if the user is logged in. Or only return data the user should be able to see.

And remember: If the data can be accessed by client-side code the data can always be accessed by an attacker. There is absolutely no way to prevent this.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文