First of all, I'm looking for a programmed/automated solution, not a -personal- solution. I'm afraid that this question has not a direct answer because technology, so I'll check any workaround to make this validation.
I've a public RESTful service that my customers (third party applications) can consume.
It has authentication basic (in the header) and the POST has a parameter that contains a cyphered string in SHA-256 with the data sent in the other parameters, in order to validate the data.
This cyphered string is made by a hash-key provided by me, for every customer, because some customers are competitors between them.
It's possible (and how can I do it?) validate if the call is from server-side without checking the URL referer?
Just as comment, I'm using Web Api 2.2 in C#, but I think I could handle making the code myself, so any answer without code will be useful anyway.
I'm afraid that there is not exists any answer, because the clients are the same, but any some workaround or idea will be preciated.
Sorry for my english and my poor knowledge in HTTP clients.
If you could describe why it is a problem that customers are using ajax - would be easier to guess general solution. For example you can create registration service where your customer must specify their IPs so you can whitelist them, or you can create client auth library which all customers should use.