Ajax on Rails by Scott Raymond

Securing a web application is not a job that can be put on a to-do list and then checked off. There is no definitive list of “thou-shalts” that will result in perfect security. Designing secure web applications is a discipline that requires careful attention not just to the minutia of code, but also to the larger principles of secure design.

The goal of this chapter is to work on both fronts: first describing the principles of web security, then identifying specific chinks in the armor that are common on the Web, and finally providing concrete strategies for protecting your application and data.

Some security issues are specific to Ajax development, but most aren’t. In general, Ajax doesn’t fundamentally change anything about web security—the principles remain the same as ever. But Ajax does add surface area to an application, and that brings the potential for unforeseen consequences. Every increase in system complexity comes with a security cost, because vulnerabilities aren’t as readily apparent.

The chief danger of using Ajax is not that it creates a new kind of security risk, but that it obfuscates old kinds of risk. By design, Ajax works in the background—often there’s no visible, UI-level indication Ajax activity is even happening. The most important Ajax-related security principle is simply to remain conscious that Ajax requests are happening and that they’re regular HTTP requests, which demand all the same precautions as non-Ajax requests.