All information sent across the Internet using the HTTP protocol
is sent in a clear text format that anyone with malicious intent and a
little technical knowledge can read. It does not matter whether the
client browser is sending a normal page request, a
POST form, or an Ajax request. In all of
these cases, all content is readable. This is one of the security
risks with Ajax that developers often overlook. Even though the user
may not see or even be the cause of the Ajax request, that data is
still free and clear to read.
Because of this, sensitive data should never be sent across an Ajax request, any more than it should be sent by any other type of request. HTTPS or some other protocol that allows encryption should always be used when private data must be sent between the client and the server. Unfortunately, this is not the only security risk with using Ajax.
The largest security risk comes with new possibilities for cross-site scripting (XSS) vulnerabilities. ...