Hey Rick,
My app for this question serves API requests.
Is there a reliable way to determine if an API request is coming from a server vs an AJAX request directly from a browser?
I have a case where I may want to provide the requested data only for AJAX requests (with the necessary CORS header) but not for requests from a server.
Can this be done?
Thanks,
Carl
No.
Any HTTP client can spoof any HTTP headers - that's kind of the point of HTTP 😄 IOW I can pick up the user agent string from Edge or Chrome and then use that with a call from wwHttp
.
+++ Rick ---
That's what I figured but I thought I'd check.
Thanks, Rick.
Carl
Carl;
If your API requests are coming from a limited set of IP addresses (which I think you ARE doing), then you will be able to tell from the request's IP address. You can maintain a table of IP addresses from API sources to easily add and remove them.
Also, you can use a part of the url from the API request to differentiate it from the browser... but I don't think that's what you are looking for in your situation.
Thanks Michael,
I had thought about tracking the IP Address but even that can be spoofed and I think the client I was dealing with is capable of doing that. I ended up abandoning the feature I was considering.
Carl