Chapter 15

Ajax and Security

IN THIS CHAPTER

  • Handling malicious users
  • Withstanding JavaScript and SQL injection attacks
  • Implementing password protection
  • Implementing password protection on the server
  • Sending username and password to the server using the XMLHttpRequest object
  • Using public/private key encryption to protect passwords

This chapter discusses Ajax and security, a particularly important topic because Ajax involves communicating with server-side programming, which lays it open for abuse. This chapter contains a discussion of security issues with Ajax, and what to do about them.

Protecting Against Malicious Users

Unfortunately, malicious users are out there, ranging from the casual to the very serious. If your Ajax application involves credit card use or other sensitive data, that application may be open to abuse.

The problem with Ajax applications is that the way you deal with the server is by using JavaScript, and that JavaScript is visible to all. Even placing that JavaScript in a .js file on the server offers no relief — those .js files are easily downloaded. Even if you create the JavaScript on the fly, as with a PHP script, it's still easily accessible by the user, who has only to view the page source.

That means you have to assume that, security-wise, users have access to your JavaScript, which means they can figure out how your application deals with the server. In simple terms, for example, you might access this URL on the server to record a user's score:

Get Ajax Bible now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.