333
18
Secure jSon reQueStS
Building Secure JSON Responses
Securing JSON responses from hijacking on the server has two main requirements
that need to be met as part of application architecture. ese are:
• Ensure a properly formatted JSON object
• Use POST to retrieve sensitive data via JSON
Another way to put this is:
• Never return JSON arrays
• Never use GET requests for sensitive data
A properly formed JSON object is not executable by JavaScript. A JSON array is
executable by JavaScript. Using POST only to return JSON objects prevents remote
scripts from obtaining private data via a GET request and authentication cookie.
e Anti-Pattern for Insecure JSON Implementations would be an architecture
that has the following elements in place. CSR