O'Reilly logo

Ajax: The Definitive Guide by Anthony T. Holdener III

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Security Risks

All information sent across the Internet using the HTTP protocol is sent in a clear text format that anyone with malicious intent and a little technical knowledge can read. It does not matter whether the client browser is sending a normal page request, a GET or POST form, or an Ajax request. In all of these cases, all content is readable. This is one of the security risks with Ajax that developers often overlook. Even though the user may not see or even be the cause of the Ajax request, that data is still free and clear to read.

Because of this, sensitive data should never be sent across an Ajax request, any more than it should be sent by any other type of request. HTTPS or some other protocol that allows encryption should always be used when private data must be sent between the client and the server. Unfortunately, this is not the only security risk with using Ajax.

A problem that is leaping to the forefront relates to the fact that Ajax relies on JavaScript and heavy client-side scripting. This creates the possibility of having already well-known JavaScript problems resurface in greater numbers than before. This risk is heightened when developers begin to put security controls on the client side, because this code is vulnerable to everyone and could easily be exploited. All security measures should reside on the server to keep your Ajax application as secure as possible.

The largest security risk comes with new possibilities for cross-site scripting (XSS) vulnerabilities. ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required