The other day I was having a discussion on Ajax and one thing that stood out as a concern for using it was “security”. If data is available openly as XML over HTTP, it is going to be a cake walk for smart hacker. Some of the issues raised related to security threat are:
- data protection
- protecting source code
- protecting web services
My initial thoughts go this way:
Data Protection: It is not necessary to use XML for data communication. GMail does not use XML in its Ajax, but serialize js objects directly with some built-in security mechanism.
Source Code: I think we should never place any code in presentation layer that might impose security thread. To my knowledge, Ajax doesn’t force anything specific to be done in code. It is more about how we like to design our applications front end to make it faster. It is in our hand to decide what in our site a security issue is and how it has to be tackled.
Protecting Web Services: AJAX, has not made any changes to the Web Services. The threads present currently, hold good with Ajax.
I am looking for more opinions and the different security threads that Ajax imposes and might hamper in making an application a rich web client .
Updated 2nd September,05
Here is another view about Ajax security