Does $_SERVER['HTTP_X_REQUESTED_WITH'] exist in PHP or not?

Question

All over the Internet, included even here at Stack Overflow, people state that a good way to check if a request is AJAX or not is to do the following:

if (strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest' ) {...}

However, I don't see $_SERVER['HTTP_X_REQUESTED_WITH'] in the official PHP documentation

And when I try to do the following:

echo $_SERVER['HTTP_X_REQUESTED_WITH'];

Nothing is outputted.

Am I doing something wrong? Because I'd really like to be able to use $_SERVER['HTTP_X_REQUESTED_WITH'] if it's available.

Answer 1

You have to set it specifically in your ajax request object (that is if you are not using a framework like jQuery), but core Javascript; like so:

xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");

Where xhr is your request object.

Then, PHP will now receive and set it in the global variable $_SERVER like so:

$_SERVER['HTTP_X_REQUESTED_WITH']

Otherwise $_SERVER['HTTP_X_REQUESTED_WITH'] will always be null.

Note: In your javascript, Please make sure you set headers after the request is open. I mean after xhr.open() method.

Answer 2

I agree Pekka. There is no reliable native method between front side and back side that can auto-detect if a client is really calling an endpoint using AJAX.

For my own use, I have few main ways to check if a client is requesting one of my endpoint:

1. I can use HTTP_X_REQUESTED_WITH when I'm not in cross domain context.

2. instead of checking "X-requested-with", I'm checking $_SERVER['HTTP_ORIGIN'] (that is sent from AJAX request) intending to handle cross domain permissions. Most of time, the main reason why I'm checking if a request is an AJAX request, is especially because of cross domain permissions, using this PHP code: header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']); // If this "HTTP_ORIGIN" is in my white list

3. my APIs expect from the client to explicit, in few cases, the datatype (JSON, HTML etc.) into a GET or a POST var. For example, I check if $_REQUEST['ajax'] is not empty or equal to an expected value.

Answer 3

This header is a standardization-in-progress from all of the AJAX libraries out there.

It won't be documented in the php documentation per-se, but rather in the different AJAX libraries that set this header. Common libraries do sent this header: jQuery, Mojo, Prototype, ...

Usually these library will set the header using

xhrobj.setRequestHeader("X-Requested-With", "XMLHttpRequest");

Answer 4

$headers = apache_request_headers();
$is_ajax = (isset($headers['X-Requested-With']) && $headers['X-Requested-With'] == 'XMLHttpRequest');

Answer 5

Here's a quick function with example usage:

function isXmlHttpRequest()
{
    $header = isset($_SERVER['HTTP_X_REQUESTED_WITH']) ? $_SERVER['HTTP_X_REQUESTED_WITH'] : null;
    return ($header === 'XMLHttpRequest');
}

// example - checking our active call
if(!isXmlHttpRequest())
{
    echo 'Not an ajax request';
}
else
{
    echo 'is an ajax request';
}

Answer 6

The best solution to make sure if an HTTP request is truly sent via AJAX is using SESSION checking , you send session_id in a get parameter and you check this session if it's allowed or not !

Answer 7

You can also blame some browser bugs - see this question and its solution for Firefox

Firefox does not preserve custom headers during Ajax request redirect: an ASP.NET MVC solution

IE also having caching issue which is more serious then detection of request method.

You anyway needs to add cache busters to avoid caching, so why not use another flag to specify the ajax call - or more better you can use different URL like http://ajax.mysite.com/endpoint/sevice?params

Answer 8

don't forget that you can easily spoof any header with cURL like so

curl_setopt($ch,CURLOPT_HTTPHEADER,array("X-Requested-With : XMLHttpRequest"));

Answer 9

The variables in $_SERVER are not really part of PHP, which is why you won't find them in the PHP documentation. They are prepared by the Web server which passes them on to the scripting language.

As far as I know, the X-Requested-With is sent by the Ajax functions of most major Frameworks but not all (Dojo, for example, added it only two years ago: #5801). As such, and taking into considerations @bobince' comments, it's safe to say it's not generally a 100% reliable method to determine whether a request is an AJAX request or not.

The only 100% secure way is to send a pre-defined flag (e.g. a GET variable) along with the request and for the receiving page to check for the presence of that flag.

Answer 10

echo $_SERVER['HTTP_X_REQUESTED_WITH'];

What'd you expect from such a code? Assume you're running it directly from the browser, not using AJAX request. So, how come this header could be set?

Well the Answer to the Ultimate Question of Life, the Universe, and Everything - an HTTP sniffer! Get yourself one and forget of printing $_SERVER variable.

Firebug has one, or you may want to use Fiddler HTTP proxy or LiveHTTPHeaders Mozilla plugin. I'm bored to make links but it easily googled.

So, with HTTP sniffer you can be sure of any HTTP header ever.

Note that you can't prevent any "direct access" by using XHR, as every HTTP request to your server is already "direct".

Answer 11

$_SERVER keys that start with HTTP_ are generated from HTTP request headers. In this case, the X-Requested-With header.