Library code snippets

The AJAX "Top 5" security tips

To succeed - you must start with good planning. Efforts should be focussed on reducing and simplifying the AJAX calls, and creating a standard format for responses that follows convention (ideally XML) where possible.

Follow best practice from sites such as the Open Web Application Security Project. This especially includes checking for Access Control and Input Validation flaws, whilst ensuring sensitive information travels over SSL rather than in the clear.

Never assume that Server Side AJAX checks for Access Control or User Input Validation will replace the need for final re-checking at the Server. Adding AJAX controls will never reduce your validation workload, they will only increase it.

Never assume that Client Side obfuscation (making the JavaScript difficult to read or decode) will protect your most important commercial secrets. Using JavaScript is a poor way to hide programming tricks and advances from your competitors.

Finally, you must be prepared to exercise a tight reign over your development team. Wonderful ideas using AJAX may sound compelling, but you should consider saving them for version 2, whilst you focus on building a rock-solid version 1.

Originally published at http://profoundway.blogspot.com/2006/06/ajax-net-security.html

Comments

  1. 21 Jul 2009 at 03:19
  2. 20 Jul 2007 at 08:02
    IMHO...

    returning CSV in a custom flatsheet, XML adds too much bulk and that puts data integrity at risk from failure.

    My personal preference is flatsheet over XML.









  3. 16 Oct 2006 at 11:50
    Link doesn't work....
  4. 01 Jan 1999 at 00:00

    This thread is for discussions of The AJAX "Top 5" security tips.

Leave a comment

Sign in or Join us (it's free).

Moe Tarhini
AddThis

Related podcasts

  • Ajax, DWR, and Spring

    Improving the User Experience without the JavaScript hassle: Ajax, DWR, and Spring Buzzwords like AJAX (Asynchronous JavaScript And XML) and XmlHttpRequest are buzzing around Java blogs for months now. The DWR (Direct Web Remoting) project aims to provide easy AJAX for Java. This session will...

Events coming up

  • Nov 20

    Full Frontal JavaScript Conference

    Brighton, United Kingdom

    A one day JavaScript conference held in Brighton, UK whose essence is to discuss JavaScript "with nothing concealed or held back".The conference is being held at one of the world's first cinemas, which first opened in 1910.Speakers include...

Want to stay in touch with what's going on? Follow us on twitter!