Works perfectly Tony. I simplified the conditional tho' <cfif StructKeyExists(headers,'X-Requested-With') AND headers['X-Requested-With'] EQ 'XMLHttpRequest'> </cfif>
-----Original Message----- From: Tony Bentley [mailto:cascadefreehee...@gmail.com] Sent: Friday, August 13, 2010 2:55 PM To: cf-talk Subject: Re: Preventing use of remote method by other sites I use a cfc that checks to see if the method being called is from within the domain, is indeed ajax and that the method is indeed is accessed remotely, otherwise abort the request. If you are doing cross site requests, pass a unique key in your form. Is it ajax? <cffunction name="isAjax" access="private" returntype="boolean" output="false"> <!--- all of the user management requests are going to come via ajax within the domain. if a request is not from this site and not ajax, abort the request run this check on any of the remote methods ---> <cfscript> requestHeaders = getHTTPRequestData().headers; if(not StructKeyExists(requestHeaders, "X-Requested-With")){ return false; } else if(StructFind(requestHeaders,"X-Requested-With") neq "XMLHttpRequest"){ return false; } else{ return true; } </cfscript> </cffunction> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology-Michael-Dinowitz/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:336273 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm