how to make ajax secured
Moderator: General Moderators
how to make ajax secured
could anyone here give me tips on how to secure my ajax application.
I haven't done much with Ajax but I think the principles of secure design as apply to "normal" php programming still apply. The thing to remember is that the client-side part (javascript) of ajax can be turned off at any time. So hackers can and will always be able to send requests directly to the server. So I think that as long as your server side code is as secure as can be, it doesn't matter if a request comes in a traditional way or via some fancy ajax script.
But then again, I haven't worked with ajax yet so if someone has some secret methods to add security layers to ajax I'd be happy to hear more about that.
But then again, I haven't worked with ajax yet so if someone has some secret methods to add security layers to ajax I'd be happy to hear more about that.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Considering all requests end up server side, thats where your main protection should fall. I'm not well versed in ajax so I can't speak as an expert, but it shouldn't matter if they have javascripts turned off (for security purposes) because all requests end up in the same place regardless of how there called.matthijs wrote:I haven't done much with Ajax but I think the principles of secure design as apply to "normal" php programming still apply. The thing to remember is that the client-side part (javascript) of ajax can be turned off at any time. So hackers can and will always be able to send requests directly to the server. So I think that as long as your server side code is as secure as can be, it doesn't matter if a request comes in a traditional way or via some fancy ajax script.
But then again, I haven't worked with ajax yet so if someone has some secret methods to add security layers to ajax I'd be happy to hear more about that.
Just make sure you sanitize your input, and htmlentities() your output.
- neel_basu
- Forum Contributor
- Posts: 454
- Joined: Wed Dec 06, 2006 9:33 am
- Location: Picnic Garden, Kolkata, India
You Can Make Your php secure From Other AJAX Scripts.
You Can Use
In Your php Script To Validate Which AJAX Is Making The HTTP Request.
Is It Yours Or Others.
Then
Let This Check If The REFERER Is From Your Site Trust It And Go On
Else Stop
You Can Use
Code: Select all
$_SERVER[HTTP_REFERER]Is It Yours Or Others.
Then
Code: Select all
<?php
$req = $_SERVER[HTTP_REFERER];
if(strstr($req, "yourdomain.com"))
{
//Go On
}
else
{
//Stop
}
?>Else Stop
-
Jeroen Oosterlaar
- Forum Commoner
- Posts: 37
- Joined: Sun Nov 06, 2005 4:12 pm
I do not agree with this solution. First, you can never be sure that the referrer header is specified by the browser. Second, it is easy to customize the referrer header to fake that the request is from the valid source. Instead, it is better to validate the input within the script that receives the AJAX requests, as if you would validate it, when it was directly requested when, for example, a user would submit the form. This is good practice because, basically, there is no difference between AJAX request and traditional requests.neel_basu wrote:You Can Make Your php secure From Other AJAX Scripts.
You Can UseIn Your php Script To Validate Which AJAX Is Making The HTTP Request.Code: Select all
$_SERVER[HTTP_REFERER]
Is It Yours Or Others.
ThenLet This Check If The REFERER Is From Your Site Trust It And Go OnCode: Select all
<?php $req = $_SERVER[HTTP_REFERER]; if(strstr($req, "yourdomain.com")) { //Go On } else { //Stop } ?>
Else Stop