I’m encountering a very strange issue when trying to call my PHP API hosted on my InfinityFree subdomain. Instead of the expected JSON response, I consistently receive an HTML page with the following structure:
HTML
<html>
<body>
<script type="text/javascript" src="/aes.js"></script>
<script>
function toNumbers(d) {
var e = [];
d.replace(/(..)/g, function(d) {
e.push(parseInt(d, 16))
});
return e
}
function toHex() {
for (var d = [], d = 1 == arguments.length && arguments[0].constructor == Array ? arguments[0] : arguments, e = "", f = 0; f < d.length; f++)
e += (16 > d[f] ? "0" : "") + d[f].toString(16);
return e.toLowerCase()
}
var a = toNumbers("f655ba9d09a112d4968c63579db590b4")
, b = toNumbers("98344c2eee86c3994890592585b49f80")
, c = toNumbers("e68a897f83e28947c904edeca66e5a59");
document.cookie = "__test=" + toHex(slowAES.decrypt(c, 2, a, b)) + "; max-age=21600; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/";
location.href = "https://fastlyai.rf.gd/api/generate_prompt.php?i=1";
</script>
<noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript>
</body>
</html>
My frontend JavaScript makes a POST request to my PHP API endpoint (/api/generate_prompt.php). I’ve noticed that a cookie named __test does get set in my browser. I’ve even tried making the fetch request to the redirected URL (https://urlinfinity.free), but I still receive this same HTML response instead of the expected JSON.
My PHP API then makes a call to another external AI service. I’ve checked my PHP code, and it seems to be working correctly when tested locally.
Has anyone else encountered this type of response from their InfinityFree server when trying to call a PHP API? Could this be some kind of security measure? If so, how can I properly handle it from my frontend?
Any insights or suggestions would be greatly appreciated.
It’s easy, what I want is for my website to be able to make a call to an API of an external service, I said API because I have a .php file that is responsible for making that call to that service but the detail is that the AES script does not allow me to do it, that is my question
It’s my own website that needs to make a call to my php file that handles the call to the external API, but from what I read it seems it’s not possible to do so with the free plan.
But it’s curious because I’m calling my php file with js, that means the call is being made from the browser so it should work, so why doesn’t it work?
I got the AES code from the developer tools because the call to my PHP file was giving me an error.
I’ll explain the flow: my website calls my PHP file, which is hosted on the same domain. My PHP file makes the call to the external API and returns the response to my website. The AES code response is sent to me by my PHP file. I got it from the developer tools, as I told you, although I could also see some of it in the logs I had on my front end, but not in its entirety.I don’t know if it’s clearer now.
I just tried to click through your website to see if I could reproduce the error, but I didn’t run into any issues like that. The frontend script was able to access the generate_prompt.php script.
The URL of the PHP script responded with status code 500 to me, suggesting that something is wrong with the PHP code. But that’s unrelated to this question.
Having an API in PHP works if it’s called from Javascript code on the same domain, which is the case here, so that’s not the issue.
The only thing that comes to mind is that your security challenge cookie expired because you spent too long on the page. Does this also happen if you refresh the whole page and then go through the process?
But does it matter if the PHP API calls another external API? Because that’s my problem. Previously it worked, but without me touching any of the PHP code, it stopped working and sent me the error I posted above about the AES script. So, can I make calls to external APIs from a PHP file? Because that’s what my JS does: it calls my PHP API so that it handles communication with the external API.
Wow, I visited the website to see how to make the request?
But it still returns the AES script. If it worked, it should return a 500 error with a null or missing message, but it returns the HTML with the AES script.
If I refresh the website the same thing keeps happening, the _test cookie is in my browser so I don’t understand why it’s not working, I don’t know why the 500 error it returns is actually because sometimes it doesn’t give it to me, generally it returns the AES script, I leave images for evidence
No, the aes.js script thing is only affects requests TO websites we host. It doesn’t apply to API calls to external services.
And from what I’ve read so far, the issue appears to be that you are getting this response in your frontend code when it accesses the PHP backend. If so, that means the access to your PHP script is blocked by this system. If so, it’s not important what exactly that PHP script is supposed to do, because our security system is preventing you from reaching it.
Given that you seem to be the only one seeing this issue, I still think that this is the reason:
Note that you don’t just need to have a test cookie, you need to have a valid test cookie. While the cookie expiration is set to a very long time, the actual server parameters get rotated quite frequently, which can cause issues with AJAX requests on pages that are open for a long time.
Interestingly, the Aes script error disappeared and only returned the error 500, in the end I had to erase cookies from the browser and cache a lot of times, the error 500 if it was my api php, that if I already knew it and it was a problem with the handling of a text chain and other details, but the problem with the script aes disappeared as it appeared, this problem was presented to me, this problem I already worked without problems a few days ago and suddenly I returned the PHP script, to test the website you have to erase the website to apply the new changes
the problem with the aes script was solved by itself, just as it appeared it disappeared, maybe it had something to do with the cookies since I deleted them and the cache a lot of times as @Greenreader mentioned, I no longer have any problems with the AES script, but just to clear up any doubts 100%, infinityfree does not limit calls to external APIs? like Google, openai, etc. to name a few, since the documentation https://forum.infinityfree.com/t/ensuring-only-web-browsers-can-access-your-website/49353 they have is not so clear, about what they are referring to when they say:
Access through Android or iOS mobile apps (mobile browsers work fine).
API access to websites (like WordPress XML-RPC).
Access from cURL or other command-line clients.
Website code validators and SEO checkers.
Domain ownership verification checks which look at website URLs or HTML code. Some webmasters tools and ad networks do this.
Let’s Encrypt and websites providing certificates through Let’s Encrypt (like sslforfree.com or zerossl.com).
AJAX requests from other websites (CORS). AJAX requests are only possible on the same (sub)domain.
Hotlinking and embedding images and other (static) files on other websites.
I would like, if possible and if it is not too much trouble, if you could explain each of these points to me in a better way, especially with the issue of AJAX calls or calls to external APIs.
Basically, the article says “Ensuring only browsers can access your website”. External APIs are not your website, and this system doesn’t and cannot apply.
