AJAX only access

You cannot reliably prevent this from happening. The key really is not to consider someone accessing this file directly as a security issue – plan for this being possible and you will be in a much more secure place.

Some people might recommend code that looks like this (or similar):

     && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
    // more code here

However, the fact of the matter is that HTTP headers can be spoofed quite easily and are not a means of securing code. In my testing on a busy site a while back i noticed that these headers are not actually that reliable anyway.

Leave a Comment