Popular posts

Edit: I did not see the node tag there. So I will remove part of my answer in php. Sorry!

If you want to identify if the call is from js:

• set a custom header within your application and check it on the server side
• set a cookie by js, since it will be sent to server check it again there
• sniff the user-agent header (something like below):

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

• Before the request, make the client do a ajax/fetch request by js, on server side set a cookie, and on the next request (the real one) check for the presence of this cookie (it can be string/hash that follows a certain rule etc.)

You can use 1 or all of the above points and combine it with the host name if you want. These are some points that came to my mind and I am sure there is many many more.

BUT, if you are not really offering some secure information (about people's identities) please let people scrape your website as they want. Because internet is a free environment. A tech savvy person can circumvent almost 99% of the measures taken. And DDoS is really really difficult to prevent after all.