How do I only allow my app to access my ajax requests

Get help using Construct 2

Post » Sat Jan 23, 2016 6:29 pm

Hi!

I am working on a app which works like a charm but i have bad thoughts about the safety.

I actually fetch a lot of data trough AJAX requests via .php files on my server.

Now everything works as expected but i want to know if there is any way to only allow my app reading the .php files. Is there any way i can identify my Construct 2 project to my php scripts so the script won't be accessible by browser but only by my app?

My method at this moment is very straightforward and everything but safe:
AJAX > Request - domain.com/scripts/phpfile.php?variable1=1&variable2=2

As in the PHP code i connect to my database, get my info and echo it back.

For now this is great to test everything and set up a working project but as you know you can simply access the php scripts once you know where they are and for that i feel not safe. Some one with bad intentions could crap up the complete database with no hassle at all.

Any good solutions?

Thanks!
B
10
S
4
G
3
Posts: 163
Reputation: 2,507

Post » Tue Jan 26, 2016 4:26 pm

Start by ensuring that your file permissions in Linux are correct (or Windows). Make sure that the php files belong to the root or admin user and are permissioned only for read & execute access by your Apache HTTPD user.

Other than that, I don't know how dextrous you are with server-side networking, but you can use proxy systems to limit access to your files.

You could go even further and have intrusion prevention systems and firewalls on various levels of proxy servers.

Some auxiliary resources:
https://www.owasp.org/index.php/PHP_Sec ... heat_Sheet
http://www.symantec.com/connect/article ... -step-step
http://www.cyberciti.biz/tips/php-secur ... orial.html
http://www.tecmint.com/apache-security-tips/
http://xianshield.org/guides/apache2.0guide.html
https://web.nvd.nist.gov/view/ncp/repos ... tail?id=94

Oh and make sure you use prepared statements for all of your database accesses!!
https://xkcd.com/327/
https://www.ravenheart.ca/home
Company name changed to avoid Facebook-type shenanigans

"Someone once told me I bite off more than I can chew...

I told them I would rather choke on greatness than nibble on mediocrity."
B
22
S
6
G
1
Posts: 1,365
Reputation: 4,724


Return to How do I....?

Who is online

Users browsing this forum: ashishv and 1 guest