how to lock AJAX calls to ASHX/WCF service to domain to stop data harvest
Is it possible to restrict the access of an ASHX or WCF ser开发者_如何学JAVAvice to only AJAX calls from your own domain?
In order to improve site performance, we want to use the full jQuery & MS AJAX 4.0 approach however exposing our retail data via an ASHX or WCF service makes it really easier for competitors to harvest our data.
Yes it is a public website and they could eventually harvest and we will put throttling in place but how can we lock calls to these services to our domain?
Could a windows app and contect directly to the service and still harvest?
Looks like another performance/security tradeoff!! sigh
Any suggestions would be helpful.
Thanks in advance.
What you're asking for can't be done. Any data that's available on your public website, whether it's intended to be called from a browser or via AJAX, can be scraped. You can try obfuscating your Javascript and data, or using a CAPTCHA, but these can be worked around. Throttling also is only a minor deterrent, as an attacker can trickle their requests, or use multiple proxies.
Basically, once you put it on the Internet, it's public.
You may use an encrypted parameter. Server's current date time will be a good parameter.
MyService.ashx?parameter=<encrypted date time>
In your ashx check the parameter to see if it is present and date time is current, if not throttle and return an empty page. Allow a few seconds margin though.
This will prevent your service called directly from a harvester but it won't prevent your site being harvested by a crawler.
精彩评论