Detect an AJAX Request in PHP

By  on  

I like using the same PHP script for both AJAX and non-AJAX content requests. Using one script just makes everything easier because it's only one file to update/edit and it's one more cache-able request. One way to try detect an AJAX request (as opposed to a regular page load) is by using the following PHP code:

/* decide what the content should be up here .... */
$content = get_content(); //generic function;

/* AJAX check  */
if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
	/* special ajax here */
	die($content);
}

/* not ajax, do more.... */

$_SERVER['HTTP_X_REQUESTED_WITH'] is the golden ticket but not all servers provide this variable so having other checks in place will be important.

Recent Features

  • By
    How I Stopped WordPress Comment Spam

    I love almost every part of being a tech blogger:  learning, preaching, bantering, researching.  The one part about blogging that I absolutely loathe:  dealing with SPAM comments.  For the past two years, my blog has registered 8,000+ SPAM comments per day.  PER DAY.  Bloating my database...

  • By
    Conquering Impostor Syndrome

    Two years ago I documented my struggles with Imposter Syndrome and the response was immense.  I received messages of support and commiseration from new web developers, veteran engineers, and even persons of all experience levels in other professions.  I've even caught myself reading the post...

Incredible Demos

  • By
    Create a Dojo Lightbox with dojox.image.Lightbox

    One of the reasons I love the Dojo Toolkit is that it seems to have everything.  No scouring for a plugin from this site and then another plugin from that site to build my application.  Buried within the expansive dojox namespace of Dojo is

  • By
    Add Styles to Console Statements

    I was recently checking out Google Plus because they implement some awesome effects.  I opened the console and same the following message: WARNING! Using this console may allow attackers to impersonate you and steal your information using an attack called Self-XSS. Do not enter or paste code that you...

Discussion

  1. Wow this is going to be very very helpful…thanks, I didn’t know about this…

  2. Fabian

    HTTP_X_REQUESTED_WITH is only sent by jQuery, isn’t it?

  3. Fabian

    Gosh, David! Your commenting system sucks. Can’t even post the NAME of the var (without dollar sign and stuff…). Anyway, this is just set by jQuery, isn’t it?

  4. All of the javascript frameworks send that header.

    • fred

      You could spoof that header remotely. This works fine as a rudimentary check, but shouldn’t be relied on for security purposes.

    • Jos

      You shouldn’t rely on any kind of check for security issues. Using different urls is just as fragile and can be spoofed too. But why at all would you write a security check based on whether a request is an Ajax request or not?

    • Dan "Netwalker" Fernandez

      “This url is an ajax webservice – direct access is denied”. Think of it as an additional layer.

      Edit: two years later, and for the record

    • It ain’t an additional layer if that’s the message you respond with. ;)

    • Adrian

      Unfortunately they don’t all – AngularJS doesn’t by default. But you can do it like this:

      $http.defaults.headers.common["X-Requested-With"] = "XMLHttpRequest";
      
  5. Yeah I felt really dumb when I found about this one a few month ago. All this time I had been using javascript to add an extra parameter to queries which I would test for on the server side. Still works, but not nearly as simple as this one

  6. puznik

    HTTP_X_REQUESTED_WITH is sent by ALL recent browsers supporting ajax requests ;)
    it’s the comment field used to check is request is standard or xhttprequest

  7. Dev Words

    Is this guarenteed to work. The frameworks may all send it but can you get round it with raw javascript.

  8. I don’t think it has anything to do with frameworks. it’s just sent with any ajax request generated by the browser

  9. I know dojo doesn’t sends it (but I could be wrong)

    You will have to do something like this to work in dojo:

    dojo.xhrGet({
        url: "some/file.cgi",
        headers: {
            "X-Requested-With": "whatever"
        }
    });
    
  10. Very nice post, thanks for sharing! I’m a huge fan of the blog, really like the design and you’ve got some great content on here. If you’d be interested, I’d love to have an interview with you on my web 2.0 blog. Just let me know if you’re interested – http://www.insidethewebb.com/

  11. yeah! nice!

  12. Freak !
    By this way, nobody can get some data :)
    Thanks a lot, I’ll test after !

  13. Simon

    Very nice ! I didn’t know about this. That’s going to be very helpfull !
    Just a question about your if statement. I never understood why people made double checks like this one:
    if(!empty($var) && $var == “Hello World”)
    Why not just check it like this:
    if($var == “Hello World”)
    Isn’t it exactly the same, or even better for performance ?
    Thanks and again, great article !

  14. @Simon: Because “$var” may not be “set” so not checking for that would throw a PHP notice.

    • Actually, it’s better to user isset.
      empty($undeclared) triggers an error if I remember well

    • No, empty($undeclared) does not trigger a notice, and that’s part of its point. I use empty() all the time to check if something has been set/provided.

    • That Guy

      Even for integer values?

      var_dump(empty(0));

      anyone?

  15. Simon

    ok… Shame on me… xD
    It has become a reflex to use if(isset()), I guess that’s why I forgot why it was necessary ;)

  16. So if you’re using this do you think its time to stop supporting people with javascript turned off? I still see lots of people supporting it.

  17. @Dev Words: yes, stop if you want to leave Google out of the door. :)
    However, it seems that Dojo sends this header since Zend Framework components check for X-Requested-With and dojo has a out-of-the-box integration with ZF.

    • Shea

      For anyone interested…google spiders now have JavaScript “turned on”

  18. Be careful when using the same URL for AJAX and non-AJAX requests. This could cause some strange behavior at a proxy cache on the client’s network.

    Imagine if a proxy cache were to cache your AJAX response when one user was interacting with your application, and then another user behind the same proxy cache goes to access your application. He’ll see the AJAX response instead of the markup for your application.

    You can discourage caching by sending the appropriate cache control headers, but I’ve seen proxy caches that seem to ignore these directives, so you might get some undesired caching anyway…

  19. This is a good idea to implement, but isn’t something i would rely when it comes to security. Remember that client headers can be faked to look like something else. However this is just one more thing to kink the system when being attacked.

  20. SyaZ

    Like Jonathan Yarbor said. Only use this for user-friendliness, never use it for security purposes as everything sent by client can be faked easily nowadays.

  21. Sébastien Hutter

    Looks like jQuery doesn’t send back HTTP_X_REQUESTED_WITH on 302 redirections (eg : php function header(‘Location: page.php’) ) occuring on $.load() calls. So be carefull with automatic redirections in your code…

    Does anyone knows a way to forward HTTP_X_REQUESTED_WITH even through redirections ?

  22. Vijay

    Wow Nice Example This is very help ful for me Thanks

  23. Just to clear up any confusion:
    Yes, the header IS added by frameworks; e.g. jQuery has this line:

    xhr.setRequestHeader("X-Requested-With","XMLHttpRequest");

    The mini-framework I use didn’t send that header; I had to put it in myself.

  24. Housni

    The condition would fail under IE7.
    It appears that IE7 doesn’t recognize the header.
    IE needs to say hello to the 21st century :)

  25. @Housni: IE was the first browser to introduce ajax to the masses.

  26. Housni

    @Ben: That maybe so but unfortunately, they seem to stick to their own standards which leads to bad practice such as CSS hacks for example.
    It seems as though IE7 not recognizing the header may be cache related.
    I need to investigate this more.

  27. scvinodkumar

    $_SERVER['HTTP_X_REQUESTED_WITH'] is empty. How to enable this variable in server?

  28. @scvinodkumar, like 10 other people before me i’ll say that this header is sent by the javascript framework with which you’re making the ajax call. You can’t ‘enable’ it in your server, the js framework does…

  29. That’s awesome.
    Just used it on a website I’m making at the moment (mine) Works great with Drupal templates.

  30. Reid

    @Fabian: Gosh, Fabian! You’re a d-bag, aren’t you?

  31. fleh

    Just to make sure everyone’s aware this header can be spoofed from another site or within the certain browser extensions. it’s not an end all be all, it’s just a rudimentary check.

    • Very true fleh, but the worst thing that can happen, in this example, would be just outputting contentHTML and not the wrapping code.

  32. Is there any better method? or different method? which i can use for security?

  33. is there any other way/ method in which i can detect AJAX request?? i need it for security purpose!

  34. Philip

    The best solution for this would be to just add a parameter say:

    if (isset($_GET['ajax']) && $_GET['ajax'] == TRUE) {
    // Process AJAX request
    } else {
    // Process non-AJAX request
    }

    This should also prevent the cache problem Jason spoke of as using a new URL parameter requires the page to be reprocessed due to the browser being unable to determine what is going on in the server.

  35. By default, ajax using header: Accept:application/json, text/javascript, */*
    and not ajax have header like Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    css header: Accept:text/css,*/*; it depending file your request.

    If you using php framework like CodeIgniter, you can use $this->input->is_ajax_request(). See http://codeigniter.com/user_guide/libraries/input.html

    By the way, $_SERVER['HTTP_X_REQUESTED_WITH'] is best way for detecting ajax request.

  36. Maxoo

    Dont use jquery or other large frms only to manage ajax, much better to use what ONLY what you need, for example ajax is a simple function, for ajax i prefer Jxs at openjs.com

  37. I was not aware of the existence of $_SERVER['HTTP_X_REQUESTED_WITH']
    but…..
    i do not see the value of using it.
    For security reasons i am completely paranoid about ANY data from the outside world.
    So i consider every outside value as a an attack on my websites.

    So i dont care HOW i got an outside value, i just check everything if it is what i expect it should be, i just never trust my visitors, they are my enemies. Always trying to destroy my hard work,but at the end i love them:)

    So, i am an heavy user of isset(), ctype_xxx() and for database security prepared statement .

    lesson 1: don’t care HOW you data came in, JUST BE PARANOID OF YOUR LOVELY VISITORS!

  38. I’m seeing a few different topics mixed here so after working with this *header* and diffferent libraries for a while now I’d like to comment as follows:
    (1) X-Requested-With is a header that’s being set (by consensus of their respective developers) by most high profile JS libraries and frameworks. I found it documented for jQuery, YUI 2/3, mootols and dojo. “the net” seems to agree that jQuery had the idea first. IF it is set, it’s content should be “XMLHttpRequest” and the PHP runtime will make it available as $SERVER['X-Requested-With']
    (2) It’s NOT set by any current browser to denote a request as coming from an XMLHttpRequest object or IE-pre-7 ActiveX pendant. Which means there is no browser configuration for this. It’s between your JS framework of choice and your server script.
    (3) There is a relevant caching issue here because IE agressively (and by default) caches AJAX requests. Detecting such AJAX requests and setting appropriate caching headers is a browser-agnostic solution to this (Firefox and WebKit based browsers just happen to handle this the way most developers want them to) and is widely considered the most appropriate solution, rather than manually appending superfluous request parameters.
    (4) Simply testing a request for a header can hardly be considered a security issue. The issue arises when it comes to what your code does with that request. Which is where https, cookie encryption and responsible right lease handling come in. But that’s actually a very different issue.

  39. Just curious – does anybody know if there’s a reason to lowercase the response? I haven’t checked extensively but in all cases I’ve seen where the header is sent, it’s always been capitalized in the exact same way ("XMLHttpRequest")..

  40. Manu V

    This is awesome! Thank you, didn’t know about this function..

  41. nice article sir!

  42. Nice work David. Your articles are always very well written and easy to follow cheers mate.

  43. acero

    It works only on JQuery ajax request :)

  44. TY VERY MUCH! That’s my golden ticket to finish a job! Ty David.

  45. am

    Does not seem to work in IE. the geniuses at microsoft stripped many things out of the server variable and now I’m pretty much forced to forcep eople to download a real browser.

    I cannot get this variable to output at all when I print the server array.

  46. I use this code:

    if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {	
    	echo 'ajac resived';
    }
    
  47. Arturo J.

    Nice solution –but assumes that PHP is being run like Apache module. With PHP-FPM doesn’t work: it won’t get any header sent by JS. php://input comes to the rescue: instead of the header, the ajax request must send a parameter. PHP must check if it isset or not.

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!