CSRF Protection:
If you are worried about someone reading the content, there are two "different" situations:
Get your /json.json
on the client side via Javascript/Ajax
.
Get your /json.json
on the "server" / "client" side via cURL/Wget/Webviewer
(and "custom browsers").
The first situation is easier and indeed "there is something to be done" to prevent:
Add the Access-Control-Allow-Origin
header, strict for your website.
(Optional) Add the Access-Control-Allow-Headers
, limit the headers (eg X-CRSF-TOKEN
) that can be sent.
(Optional) Add the Access-Control-Allow-Methods
, limit the accepted methods (eg GET
) so only this method will be accepted.
You will soon be able to use:
header('Access-Control-Allow-Origin: http://www.dominio.com http://m.dominio.com');
header('Access-Control-Allow-Methods: GET');
I recommend seeing this answer.
Add a CSRF Token
.
The CSRF Token must be valid for a single session only.
(Recommended) The CSRF Token
must be valid for a single IP.
(Optional) The CSRF Token
must expire after a single use.
(Optional) CSRF Token
should be unique for each URL or for each follow up.
You can read this answer
Not very effective but can help:
Checking% with% is easily faked.
The second situation is impossible to correct, literally, there is no way to prevent this, all listed above is not enough to prevent the use of Referrer/Origin
.
Create a cURL/Wget
, a limit on how many times the page can be accessed per second per IP (or Rate-Limit
range) is relatively efficient as it will require the use of several IPv6
if you want to get content consistently , but remember proxies
no CGNAT
.
Block access via TOR and public proxies.
Much less efficient but can help:
Create a "challenge" in Javascript, such as IPv4
, CloudFlare uses this.
Other answers that may complement:
Api Rest server side only
Authentication via OAuth for REST APIs