Detect an AJAX Request in PHP

By  on  

I like using the same PHP script for both AJAX and non-AJAX content requests. Using one script just makes everything easier because it's only one file to update/edit and it's one more cache-able request. One way to try detect an AJAX request (as opposed to a regular page load) is by using the following PHP code:

/* decide what the content should be up here .... */
$content = get_content(); //generic function;

/* AJAX check  */
if(!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
	/* special ajax here */

/* not ajax, do more.... */

$_SERVER['HTTP_X_REQUESTED_WITH'] is the golden ticket but not all servers provide this variable so having other checks in place will be important.

Recent Features

  • By
    Responsive Images: The Ultimate Guide

    Chances are that any Web designers using our Ghostlab browser testing app, which allows seamless testing across all devices simultaneously, will have worked with responsive design in some shape or form. And as today's websites and devices become ever more varied, a plethora of responsive images...

  • By
    5 Ways that CSS and JavaScript Interact That You May Not Know About

    CSS and JavaScript:  the lines seemingly get blurred by each browser release.  They have always done a very different job but in the end they are both front-end technologies so they need do need to work closely.  We have our .js files and our .css, but...

Incredible Demos

  • By
    Six Degrees of Kevin Bacon Using MooTools 1.2

    As you can probably tell, I try to mix some fun in with my MooTools madness but I also try to make my examples as practical as possible. Well...this may not be one of those times. I love movies and useless movie trivia so naturally I'm...

  • By
    HTML5’s placeholder Attribute

    HTML5 has introduced many features to the browser;  some HTML-based, some in the form of JavaScript APIs, but all of them useful.  One of my favorites if the introduction of the placeholder attribute to INPUT elements.  The placeholder attribute shows text in a field until the...


  1. Wow this is going to be very very helpful…thanks, I didn’t know about this…

  2. Fabian

    HTTP_X_REQUESTED_WITH is only sent by jQuery, isn’t it?

  3. Fabian

    Gosh, David! Your commenting system sucks. Can’t even post the NAME of the var (without dollar sign and stuff…). Anyway, this is just set by jQuery, isn’t it?

  4. All of the javascript frameworks send that header.

    • fred

      You could spoof that header remotely. This works fine as a rudimentary check, but shouldn’t be relied on for security purposes.

    • Jos

      You shouldn’t rely on any kind of check for security issues. Using different urls is just as fragile and can be spoofed too. But why at all would you write a security check based on whether a request is an Ajax request or not?

    • Dan "Netwalker" Fernandez

      “This url is an ajax webservice – direct access is denied”. Think of it as an additional layer.

      Edit: two years later, and for the record

    • It ain’t an additional layer if that’s the message you respond with. ;)

    • Adrian

      Unfortunately they don’t all – AngularJS doesn’t by default. But you can do it like this:

      $http.defaults.headers.common["X-Requested-With"] = "XMLHttpRequest";
  5. Yeah I felt really dumb when I found about this one a few month ago. All this time I had been using javascript to add an extra parameter to queries which I would test for on the server side. Still works, but not nearly as simple as this one

  6. puznik

    HTTP_X_REQUESTED_WITH is sent by ALL recent browsers supporting ajax requests ;)
    it’s the comment field used to check is request is standard or xhttprequest

  7. Dev Words

    Is this guarenteed to work. The frameworks may all send it but can you get round it with raw javascript.

  8. I don’t think it has anything to do with frameworks. it’s just sent with any ajax request generated by the browser

  9. I know dojo doesn’t sends it (but I could be wrong)

    You will have to do something like this to work in dojo:

        url: "some/file.cgi",
        headers: {
            "X-Requested-With": "whatever"
  10. Very nice post, thanks for sharing! I’m a huge fan of the blog, really like the design and you’ve got some great content on here. If you’d be interested, I’d love to have an interview with you on my web 2.0 blog. Just let me know if you’re interested –

  11. yeah! nice!

  12. Freak !
    By this way, nobody can get some data :)
    Thanks a lot, I’ll test after !

  13. Simon

    Very nice ! I didn’t know about this. That’s going to be very helpfull !
    Just a question about your if statement. I never understood why people made double checks like this one:
    if(!empty($var) && $var == “Hello World”)
    Why not just check it like this:
    if($var == “Hello World”)
    Isn’t it exactly the same, or even better for performance ?
    Thanks and again, great article !

  14. @Simon: Because “$var” may not be “set” so not checking for that would throw a PHP notice.

    • Actually, it’s better to user isset.
      empty($undeclared) triggers an error if I remember well

    • No, empty($undeclared) does not trigger a notice, and that’s part of its point. I use empty() all the time to check if something has been set/provided.

    • That Guy

      Even for integer values?



  15. Simon

    ok… Shame on me… xD
    It has become a reflex to use if(isset()), I guess that’s why I forgot why it was necessary ;)

  16. So if you’re using this do you think its time to stop supporting people with javascript turned off? I still see lots of people supporting it.

  17. @Dev Words: yes, stop if you want to leave Google out of the door. :)
    However, it seems that Dojo sends this header since Zend Framework components check for X-Requested-With and dojo has a out-of-the-box integration with ZF.

    • Shea

      For anyone interested…google spiders now have JavaScript “turned on”

  18. Be careful when using the same URL for AJAX and non-AJAX requests. This could cause some strange behavior at a proxy cache on the client’s network.

    Imagine if a proxy cache were to cache your AJAX response when one user was interacting with your application, and then another user behind the same proxy cache goes to access your application. He’ll see the AJAX response instead of the markup for your application.

    You can discourage caching by sending the appropriate cache control headers, but I’ve seen proxy caches that seem to ignore these directives, so you might get some undesired caching anyway…

  19. This is a good idea to implement, but isn’t something i would rely when it comes to security. Remember that client headers can be faked to look like something else. However this is just one more thing to kink the system when being attacked.

  20. SyaZ

    Like Jonathan Yarbor said. Only use this for user-friendliness, never use it for security purposes as everything sent by client can be faked easily nowadays.

  21. Sébastien Hutter

    Looks like jQuery doesn’t send back HTTP_X_REQUESTED_WITH on 302 redirections (eg : php function header(‘Location: page.php’) ) occuring on $.load() calls. So be carefull with automatic redirections in your code…

    Does anyone knows a way to forward HTTP_X_REQUESTED_WITH even through redirections ?

  22. Vijay

    Wow Nice Example This is very help ful for me Thanks

  23. Just to clear up any confusion:
    Yes, the header IS added by frameworks; e.g. jQuery has this line:


    The mini-framework I use didn’t send that header; I had to put it in myself.

  24. Housni

    The condition would fail under IE7.
    It appears that IE7 doesn’t recognize the header.
    IE needs to say hello to the 21st century :)

  25. @Housni: IE was the first browser to introduce ajax to the masses.

  26. Housni

    @Ben: That maybe so but unfortunately, they seem to stick to their own standards which leads to bad practice such as CSS hacks for example.
    It seems as though IE7 not recognizing the header may be cache related.
    I need to investigate this more.

  27. scvinodkumar

    $_SERVER['HTTP_X_REQUESTED_WITH'] is empty. How to enable this variable in server?

  28. @scvinodkumar, like 10 other people before me i’ll say that this header is sent by the javascript framework with which you’re making the ajax call. You can’t ‘enable’ it in your server, the js framework does…

  29. That’s awesome.
    Just used it on a website I’m making at the moment (mine) Works great with Drupal templates.

  30. Reid

    @Fabian: Gosh, Fabian! You’re a d-bag, aren’t you?

  31. fleh

    Just to make sure everyone’s aware this header can be spoofed from another site or within the certain browser extensions. it’s not an end all be all, it’s just a rudimentary check.

    • Very true fleh, but the worst thing that can happen, in this example, would be just outputting contentHTML and not the wrapping code.

  32. Is there any better method? or different method? which i can use for security?

  33. is there any other way/ method in which i can detect AJAX request?? i need it for security purpose!

  34. Philip

    The best solution for this would be to just add a parameter say:

    if (isset($_GET['ajax']) && $_GET['ajax'] == TRUE) {
    // Process AJAX request
    } else {
    // Process non-AJAX request

    This should also prevent the cache problem Jason spoke of as using a new URL parameter requires the page to be reprocessed due to the browser being unable to determine what is going on in the server.

  35. By default, ajax using header: Accept:application/json, text/javascript, */*
    and not ajax have header like Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    css header: Accept:text/css,*/*; it depending file your request.

    If you using php framework like CodeIgniter, you can use $this->input->is_ajax_request(). See

    By the way, $_SERVER['HTTP_X_REQUESTED_WITH'] is best way for detecting ajax request.

  36. Maxoo

    Dont use jquery or other large frms only to manage ajax, much better to use what ONLY what you need, for example ajax is a simple function, for ajax i prefer Jxs at

  37. I was not aware of the existence of $_SERVER['HTTP_X_REQUESTED_WITH']
    i do not see the value of using it.
    For security reasons i am completely paranoid about ANY data from the outside world.
    So i consider every outside value as a an attack on my websites.

    So i dont care HOW i got an outside value, i just check everything if it is what i expect it should be, i just never trust my visitors, they are my enemies. Always trying to destroy my hard work,but at the end i love them:)

    So, i am an heavy user of isset(), ctype_xxx() and for database security prepared statement .

    lesson 1: don’t care HOW you data came in, JUST BE PARANOID OF YOUR LOVELY VISITORS!

  38. I’m seeing a few different topics mixed here so after working with this *header* and diffferent libraries for a while now I’d like to comment as follows:
    (1) X-Requested-With is a header that’s being set (by consensus of their respective developers) by most high profile JS libraries and frameworks. I found it documented for jQuery, YUI 2/3, mootols and dojo. “the net” seems to agree that jQuery had the idea first. IF it is set, it’s content should be “XMLHttpRequest” and the PHP runtime will make it available as $SERVER['X-Requested-With']
    (2) It’s NOT set by any current browser to denote a request as coming from an XMLHttpRequest object or IE-pre-7 ActiveX pendant. Which means there is no browser configuration for this. It’s between your JS framework of choice and your server script.
    (3) There is a relevant caching issue here because IE agressively (and by default) caches AJAX requests. Detecting such AJAX requests and setting appropriate caching headers is a browser-agnostic solution to this (Firefox and WebKit based browsers just happen to handle this the way most developers want them to) and is widely considered the most appropriate solution, rather than manually appending superfluous request parameters.
    (4) Simply testing a request for a header can hardly be considered a security issue. The issue arises when it comes to what your code does with that request. Which is where https, cookie encryption and responsible right lease handling come in. But that’s actually a very different issue.

  39. Just curious – does anybody know if there’s a reason to lowercase the response? I haven’t checked extensively but in all cases I’ve seen where the header is sent, it’s always been capitalized in the exact same way ("XMLHttpRequest")..

  40. Manu V

    This is awesome! Thank you, didn’t know about this function..

  41. nice article sir!

  42. Nice work David. Your articles are always very well written and easy to follow cheers mate.

  43. acero

    It works only on JQuery ajax request :)

  44. TY VERY MUCH! That’s my golden ticket to finish a job! Ty David.

  45. am

    Does not seem to work in IE. the geniuses at microsoft stripped many things out of the server variable and now I’m pretty much forced to forcep eople to download a real browser.

    I cannot get this variable to output at all when I print the server array.

  46. I use this code:

    if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {	
    	echo 'ajac resived';
  47. Arturo J.

    Nice solution –but assumes that PHP is being run like Apache module. With PHP-FPM doesn’t work: it won’t get any header sent by JS. php://input comes to the rescue: instead of the header, the ajax request must send a parameter. PHP must check if it isset or not.

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!