xAjaxSec

xAjaxSec is a MODX extension to secure ajax requests by preventing direct access to ajax responses and returned data, with encryption feature.

Cross-origin resource sharing (CORS) doesn't prevent direct access within the same origin. The purpose of this extra is to enhance security by allowing resource access only through AJAX.

This extension add an additional security layer and enhance low-visibility/accessibility of public resources and data but designed to be accessed from a specific page or in a specific context or scenario, without user account & group restrictions.

Features

Security by key

A key is posted, if the key is not correct, the AJAX response will not be returned or processed and a 401 status will be returned.

Domain verification

independently of the CORS mechanism, the domain defined in the context options (Context settings → http_host) is compared with the domain of the target URL. If the test fails, no AJAX response, the AJAX response will not be returned or processed and a 401 status will be returned.

Direct access rejection

Direct access attempts to the target URL resource will return a 401 error page (unauthorized access). The redirect URL is defined by the following context key IDs, in order of priority:

• unauthorized_page
• error_page
• site_start

Rejection of indexing by search engines

Active rejection of indexing by search engines of the target URL with the sending of the PHP header:

Response encryption

An option allows encryption according to the AES protocol (Open SSL must be installed on the server) AJAX responses between the server and the client. The content of the responses will be encrypted in the development tool consoles (not to be confused with the https protocol which can be used jointly).

Usage

Example:

[[!xAjaxSec? &debug=`0` &cypher=`0` &run=`[[dummyAjaxProcessor]]`]]

Snippet options

Examples

xAjaxSec - JSON encryption

xAjaxSec - Encryption