Protecting urls used for ajax requests

I am currently making a small website with google charts. I load the information with a ajax request from this url ‘data.php’

The problem is that anyone can enter that url and get the response. A person can also abuse that url. Like spamming it 1000 of times. Is there a way I can protect that from happening.

I myself thought about using a php sesion variable. So that the users needed to have the home-page open first before it could continue.

So I dont know if there are other ways of protecting a URL used by ajax request.

There are a number of ways to protect endpoints.

You can code-in session variables or API keys that your server side app checks for each request. You can hard code limits to how frequently the app responds to a client. If you have access to the server software you can configure firewalls or the server itself to drop high-frequency or spam requests.

How much you lock the endpoint down really just depends on your specific needs. Personally, I imagine if the endpoint is already public your main concern should be bandwidth or server integrity so a firewall rule limiting requests would be sufficient.

1 Like


If it’s a google api you can lock the key to a single domain in the developers dashboard. Just click your key in the console and you’ll find the option.

No I dont use a google api. I did find this tutorial wich I think can solve the problem.