Add a security layer to your AJAX calls

Logo ResourceSpace Logo Wordpress Logo Prestashop Logo Joomla

xAjaxSec is a MODX extension to secure ajax requests by preventing direct access to ajax responses and returned data, with encryption feature.

Cross-origin resource sharing (CORS) doesn't prevent direct access within the same origin. The purpose of this extra is to enhance security by allowing resource access only through AJAX.

This extension add an additional security layer and enhance low-visibility/accessibility of public resources and data but designed to be accessed from a specific page or in a specific context or scenario, without user account & group restrictions.


Security by key

A key is posted, if the key is not correct, the AJAX response will not be returned or processed and a 401 status will be returned.

Domain verification

independently of the CORS mechanism, the domain defined in the context options (Context settings → http_host) is compared with the domain of the target URL. If the test fails, no AJAX response, the AJAX response will not be returned or processed and a 401 status will be returned.

Direct access rejection

Direct access attempts to the target URL resource will return a 401 error page (unauthorized access). The redirect URL is defined by the following context key IDs, in order of priority:

  • unauthorized_page
  • error_page
  • site_start

Rejection of indexing by search engines

Active rejection of indexing by search engines of the target URL with the sending of the PHP header:

X-Robots-Tag: noindex, nofollow, noarchive, noimageindex.

Response encryption

An option allows encryption according to the AES protocol (Open SSL must be installed on the server) AJAX responses between the server and the client. The content of the responses will be encrypted in the development tool consoles (not to be confused with the https protocol which can be used jointly).



[[!xAjaxSec? &debug=`0` &cypher=`0` &run=`[[dummyAjaxProcessor]]`]]

Snippet options

Option Values Default / Notes
debug 0|1 Debug mode display tests for host, key and redirection URL
cypher 0|1 Encrypt AJAX response (AES encryption). OpenSSL must be installed on your server.


xAjaxSec - JSON encryption

xAjaxSec - Encryption