As mentioned above, anyone can send a request to you page at any time: so the major security concerns you need are to validate user input and only reveal information that is available for public consumption. But that applies to all scripts.

如上所述，任何人都可以随时向您的页面发送请求：因此您需要关注的主要安全问题是验证用户输入并仅显示可供公众使用的信息。但这适用于所有脚本。

The two main issues you need to concentrate on (after validating user input) are:

您需要关注的两个主要问题（在验证用户输入之后）是：

1. The problem you may have is users receiving the information into their scripts. Depending on the browser (and even between flavours of the same browser) there are different security rules that prevent them from getting the information back. A common solution to this is to provide information back as "JSONP" which is to wrap your return value as a function call that can be executed by the client. Here's a quick example (taken from http://www.geekality.net/2010/06/27/php-how-to-easily-provide-json-and-jsonp/). To further lock it down, you can insist that all queries are JSONP and reject anyone not sending the callback function.

1. 您可能遇到的问题是用户将信息接收到他们的脚本中。根据浏览器的不同（甚至在同一浏览器的不同版本之间），有不同的安全规则会阻止它们取回信息。对此的常见解决方案是将信息作为“JSONP”提供回来，即将返回值包装为可由客户端执行的函数调用。这是一个简单的例子（取自http://www.geekality.net/2010/06/27/php-how-to-easily-provide-json-and-jsonp/）。为了进一步锁定它，您可以坚持所有查询都是 JSONP 并拒绝任何不发送回调函数的人。

.

.

<?php

header('content-type: application/json; charset=utf-8');
$data = array(1, 2, 3, 4, 5, 6, 7, 8, 9);
echo $_GET['callback'] . '('.json_encode($data).')';

?>

1. Someone abusing your service by calling too regularly. Solutions for this are to trap the IP address and reject if you get too many calls from an IP address. Not foolproof, but it's a start.

2. 有人通过过于频繁地打电话来滥用您的服务。对此的解决方案是捕获 IP 地址并在您从 IP 地址收到太多呼叫时拒绝。并非万无一失，但这是一个开始。

Other factors to bear in mind:

其他需要牢记的因素：

• cookies and other headers set by your script will probably be ignored
• same applies to sessions

• 您的脚本设置的 cookie 和其他标头可能会被忽略
• 同样适用于会话

Like zerkms said, if they just "go" to your php page, they will be able to see whatever it echos out. If it's possible(Not sure it is), it will also allow unwanted people to create their own forms even on a localhost and submit them via AJAX to get the responses they want .. If that's ok with you, and the information is ambiguous/harmless ... Then I suppose it would be "safe". It's NOT ok method to get/transfer sensitive information

就像 zerkms 所说的那样，如果他们只是“转到”您的 php 页面，他们将能够看到它发出的任何内容。 如果可能（不确定是否），它还会允许不受欢迎的人甚至在本地主机上创建自己的表单并通过 AJAX 提交它们以获得他们想要的响应.. 如果你没问题，并且信息不明确/无害......那么我想它会是“安全的”。获取/传输敏感信息不是好的方法

private function set_headers() {
    header("HTTP/1.1 ".$this->_code." ".$this->get_status_message());
    header("Content-Type:".$this->_content_type);           
    header("Access-Control-Allow-Origin: *");
}

This worked perfect for me.

这对我来说很完美。

header('Access-Control-Allow-Origin: *');
header("Access-Control-Allow-Headers: X-API-KEY, Origin, X-Requested-With, Content-Type, Accept, Access-Control-Request-Method");
header("Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE");
header("Allow: GET, POST, OPTIONS, PUT, DELETE");
$method = $_SERVER['REQUEST_METHOD'];
if($method == "OPTIONS") {
    die();
}