The AJAX "Top 5" security tips

To succeed - you must start with good planning. Efforts should be focussed on reducing and simplifying the AJAX calls, and creating a standard format for responses that follows convention (ideally XML) where possible.

Follow best practice from sites such as the Open Web Application Security Project. This especially includes checking for Access Control and Input Validation flaws, whilst ensuring sensitive information travels over SSL rather than in the clear.

Never assume that Server Side AJAX checks for Access Control or User Input Validation will replace the need for final re-checking at the Server. Adding AJAX controls will never reduce your validation workload, they will only increase it.

Never assume that Client Side obfuscation (making the JavaScript difficult to read or decode) will protect your most important commercial secrets. Using JavaScript is a poor way to hide programming tricks and advances from your competitors.

Finally, you must be prepared to exercise a tight reign over your development team. Wonderful ideas using AJAX may sound compelling, but you should consider saving them for version 2, whilst you focus on building a rock-solid version 1.

Originally published at http://profoundway.blogspot.com/2006/06/ajax-net-security.html

You might also like...

Comments

Moe Tarhini

Contribute

Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“In order to understand recursion, one must first understand recursion.”