I've been grappling with the challenge of securing public AJAX calls effectively. Imagine a scenario where JavaScript on a publicly accessible page makes an AJAX call to a PHP script, allowing any user to view and potentially exploit it by executing it repeatedly in a DDoS attack. This vulnerability undermines the security of the site, making it imperative to find a robust solution.
Initially, I considered using HTTP_REFERER checks as a form of protection, but quickly realized that this method is easily circumvented through manipulation of header fields like in a curl request. Subsequently, exploring alternatives such as session ids and cookies to create unique access keys for every user seemed promising, until the realization that clearing cookies would reset this security measure.
The idea of utilizing IP addresses as a means of restriction also proved ineffective, as users sharing a common IP could be unfairly impacted by the actions of a single malicious individual abusing the AJAX call's capabilities. The problem persisted, leaving me at an impasse without a satisfactory solution in sight.
Contemplating the use of API keys or similar authentication methods raised concerns about potential extraction from the JavaScript source, enabling unauthorized servers to utilize the service in a proxy capacity, thereby jeopardizing data integrity and misuse of resources.
tl;dr
Is there a foolproof way to safeguard publicly visible AJAX calls against exploitation for DDoS attacks, unauthorized data retrieval, or misuse by external entities?