Protecting a route used by a single domain

CSRF Protection:

If you are worried about someone reading the content, there are two "different" situations:

Get your /json.json on the client side via Javascript/Ajax .

Get your /json.json on the "server" / "client" side via cURL/Wget/Webviewer (and "custom browsers").

The first situation is easier and indeed "there is something to be done" to prevent:

Add the Access-Control-Allow-Origin header, strict for your website.

(Optional) Add the Access-Control-Allow-Headers , limit the headers (eg X-CRSF-TOKEN ) that can be sent.

(Optional) Add the Access-Control-Allow-Methods , limit the accepted methods (eg GET ) so only this method will be accepted.

You will soon be able to use:

header('Access-Control-Allow-Origin: http://www.dominio.com http://m.dominio.com');
header('Access-Control-Allow-Methods: GET');

I recommend seeing this answer.

Add a CSRF Token . The CSRF Token must be valid for a single session only. (Recommended) The CSRF Token must be valid for a single IP. (Optional) The CSRF Token must expire after a single use. (Optional) CSRF Token should be unique for each URL or for each follow up.

You can read this answer

Not very effective but can help:

Checking% with% is easily faked. The second situation is impossible to correct, literally, there is no way to prevent this, all listed above is not enough to prevent the use of Referrer/Origin .

Create a cURL/Wget , a limit on how many times the page can be accessed per second per IP (or Rate-Limit range) is relatively efficient as it will require the use of several IPv6 if you want to get content consistently , but remember proxies no CGNAT . Block access via TOR and public proxies.

Much less efficient but can help:

Create a "challenge" in Javascript, such as IPv4 , CloudFlare uses this.

Other answers that may complement:

Api Rest server side only

Authentication via OAuth for REST APIs