Detecting XHR is a small trick for security procedure nowadays.
Today most web application is detecting by bots or spiders. Some of them looking for your security issues. You can handle it with simple moves.
If you filter just like below, there is a one more layer for your critical procedures. Because lots of spiders or crawlers does not have skill for set request type.
[php]
/* XHR-AJAX check */
if(!empty($_SERVER[‘HTTP_X_REQUESTED_WITH’]) && strtolower($_SERVER[‘HTTP_X_REQUESTED_WITH’]) == ‘xmlhttprequest’){
/*Your Procedures or processes */
}else{
/*Here is a direct call or bot */
die(‘you shall not pass!’);
}
[/php]
Simple.