xAjaxSec is a MODX extension to secure ajax requests by preventing direct access to ajax responses and returned data, with encryption feature.
Cross-origin resource sharing (CORS) doesn't prevent direct access within the same origin. The purpose of this extra is to enhance security by allowing resource access only through AJAX.
This extension add an additional security layer and enhance low-visibility/accessibility of public resources and data but designed to be accessed from a specific page or in a specific context or scenario, without user account & group restrictions.
Features
Security by key
A key is posted, if the key is not correct, the AJAX response will not be returned or processed and a 401 status will be returned.
Domain verification
independently of the CORS mechanism, the domain defined in the context options (Context settings → http_host) is compared with the domain of the target URL. If the test fails, no AJAX response, the AJAX response will not be returned or processed and a 401 status will be returned.
Direct access rejection
Direct access attempts to the target URL resource will return a 401 error page (unauthorized access). The redirect URL is defined by the following context key IDs, in order of priority:
- unauthorized_page
- error_page
- site_start
Rejection of indexing by search engines
Active rejection of indexing by search engines of the target URL with the sending of the PHP header:
X-Robots-Tag: noindex, nofollow, noarchive, noimageindex
.
Response encryption
An option allows encryption according to the AES protocol (Open SSL must be installed on the server) AJAX responses between the server and the client. The content of the responses will be encrypted in the development tool consoles (not to be confused with the https protocol which can be used jointly).
Usage
Example:
[[!xAjaxSec? &debug=`0` &cypher=`0` &run=`[[dummyAjaxProcessor]]`]]
Snippet options
Option | Values | Default / Notes |
---|---|---|
debug | 0|1 | Debug mode display tests for host, key and redirection URL |
cypher | 0|1 | Encrypt AJAX response (AES encryption). OpenSSL must be installed on your server. |