The Bad: Apache 🙁
X-Requested-With
in not a standard HTTP Header.
You can’t read it in apache at all (neither by
ReWriteCond %{HTTP_X_REQUESTED_WITH}
nor by
%{HTTP:X-Requested-With}
), so its impossible to check it in .htaccess or same place. 🙁
The Ugly: Script 🙁
Its just accessible in the script (eg. php), but you said you don’t want to include a php file in all of your scripts because of number of files.
The Good: auto_prepend_file 🙂
- But … there’s a simple trick to solve it 🙂
auto_prepend_file
specifies the name of a file that is automatically parsed before the main file. You can use it to include a “checker” script automatically.
So create a .htaccess
in ajax folder
php_value auto_prepend_file check.php
and create check.php
as you want:
<?
if( !@$_SERVER["HTTP_X_REQUESTED_WITH"] ){
header('HTTP/1.1 403 Forbidden');
exit;
}
?>
You can customize it as you want.