How to "Secure" AJAX calls?

Question

I'm sure this question has been asked before, but I can't find a thread that explains it in a way that makes sense to me.

I'm creating a bookmarklet/browser plugin written in Javascript. This script makes calls to an api, effectively sending a users activity information from one site to another. (think, making a tweet when a user posts a facebook status)

This site loads javascript right into the site. The API I'm using requires an MD5 hash to be generated using an API secret code. This is no problem, I'm making an ajax call to a PHP script I'm hosting elsewhere, that returns the correct string.

Problem is I don't want the user to be able to make a call to this same script to generate their own strings, with the secret embedded to abuse the API. Is their a way I can only allow calls to this API when I want to make them?

Or maybe I'm approaching this from the wrong direction.

Answer 1

You cannot dictate how a client executes your javascript. There is no way to create a "secure" request, or insure that it wasn't modified by an attacker. This is the nature of the client/server system. The page its self can be modified using GreaseMonkey and any request can be modified or replayed using TamperData.

Answer 2

1) you should open a token on your DB like GUID.

this guid will represent some info and can only be executed once ( put a db field in table called "isAlreadyuse" -type bit).

now ,

when the ajax will call itself - you send this guid to the server.

the server will see if the guid exists

and emits its logic and update thefield to "1".