How do I restrict JSON access?

json rest php api

I think you might be misunderstanding the part where the JSON request is initiated from the user's browser rather than from your own server. The static HTML page is delivered to the user's browser, then it turns around and executes the Javascript code on the page. This code opens a new connection back to your server to obtain the JSON data. From your PHP script's point of view, the JSON request comes from somewhere in the outside world.

Given the above mechanism, there isn't much you can do to prevent anybody from calling the JSON API outside the context of your HTML page.


The usual method for restricting access to your domain is prepend the content with something that runs infinitely.

For example:

while(1);{"json": "here"} // google uses this method
for (;;);{"json": "here"} // facebook uses this method

So when you fetch this via XMLHttpRequest or any other method that is restricted solely to your domain, you know that you need to parse out the infinite loop. But if it is fetched via script node:

<script src="http://some.server/secret_api?..."></script>

It will fail because the script will never get beyond the first statement.

Related

How to install/update/remove APK using "PackageInstaller" class in Android L?
Problem using NSURLRequest to POST data to server
Finding Proper Nouns using NLTK WordNet
Faster forking of large processes on Linux?
Why is Function[-A1,...,+B] not about allowing any supertypes as parameters?
How to install virtualenv without using sudo?
Core Data vs. SQLite for SQL experienced developers
How can I change the OverScroll color in Android 2.3.1?
How do I get csv file to download on IE? Works on firefox
Give warning when [super method] is not called
How to plot the survival curve generated by survreg (package survival of R)?
Setting a PHP $_SESSION['var'] using jQuery