O'Reilly logo

Securing Ajax Applications by Christopher Wells

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 7. Building Secure APIs

The Web has reached a new plateau. We are not communicating with static web pages anymore, but with live content and dynamic web pages that cross-pollinate with each other to form a new social and communication experience. In this next generation web world we no longer have a network of web sites—virtual places that we go to and explore. This new world is more componentized. Each article a blogger writes, each comment a visitor leaves on a blog, each image a photographer takes, each song a musician posts, each video you see on YouTube is a micro, discrete piece of content—componentized and ready for quick and easy sharing.

What has sparked this movement and fueled its growth is the notion of exposing these chunks of data or services via Application Programming Interfaces (APIs). These public APIs are basically instruction sets for developers that divulge how to use the exposed content or feature. Suppose that you have a web site that sells lemons. You expose an interface that allows others to see all your lemons—big ones, small ones, round ones, and oblong ones. Then, some neo-web magician surfing around at 3 o’clock in the morning shows up, sees your API, and makes lemonade.

Now, not to sour this notion or anything, but exposing data and services is almost always going to be a security problem. There are many things to consider before just putting it all out there. Remember, it’s the big bad Internet, and you may think you’re dealing with one party ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required