Ajax server-side scripting methods to prevent request attacks

About, to prevent users from using the Ajax interface to impersonate the login or other ways to make requests, such as writing a script or repeatedly request you these Ajax methods. How to prevent?

Reply content:

About, to prevent users from using the Ajax interface to impersonate the login or other ways to make requests, such as writing a script or repeatedly request you these Ajax methods. How to prevent?

1. Verifies whether the AJAX request. such as PHP code:

define('IS_AJAX', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');

(This step of the environment variable can be forged, but can filter out a lot of Xiao (Bai))
2. Frequency limit. For IP restrictions, it can be done at the server level (Tengine has this capability). For the frequency limit of the logged-in user, the watercress is to do so, beyond the frequency of entering a verification code.
3. The way of Csrftoken, the individual feel little meaning.

First, there is no absolute plan to prevent this from happening.

Second, there are two options to consider:
1. Verify the route
2. Add validation data (like cookies, hidden input) csrftoken similar to hidden input.

Some perverts get a captcha--#

