how to lock AJAX calls to ASHX/WCF service to domain to stop data harvest

Question

Hi,

Is it possible to restrict the access of an ASHX or WCF service to only AJAX calls from your own domain?

In order to improve site performance, we want to use the full jQuery & MS AJAX 4.0 approach however exposing our retail data via an ASHX or WCF service makes it really easier for competitors to harvest our data.

Yes it is a public website and they could eventually harvest and we will put throttling in place but how can we lock calls to these services to our domain?

Could a windows app and contect directly to the service and still harvest?

Looks like another performance/security tradeoff!! sigh

Any suggestions would be helpful.

Thanks in advance.

Answer 1

What you're asking for can't be done. Any data that's available on your public website, whether it's intended to be called from a browser or via AJAX, can be scraped. You can try obfuscating your Javascript and data, or using a CAPTCHA, but these can be worked around. Throttling also is only a minor deterrent, as an attacker can trickle their requests, or use multiple proxies.

Basically, once you put it on the Internet, it's public.