O'Reilly logo

Ajax on Rails by Scott Raymond

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 8. Security

Securing a web application is not a job that can be put on a to-do list and then checked off. There is no definitive list of “thou-shalts” that will result in perfect security. Designing secure web applications is a discipline that requires careful attention not just to the minutia of code, but also to the larger principles of secure design.

The goal of this chapter is to work on both fronts: first describing the principles of web security, then identifying specific chinks in the armor that are common on the Web, and finally providing concrete strategies for protecting your application and data.

Some security issues are specific to Ajax development, but most aren’t. In general, Ajax doesn’t fundamentally change anything about web security—the principles remain the same as ever. But Ajax does add surface area to an application, and that brings the potential for unforeseen consequences. Every increase in system complexity comes with a security cost, because vulnerabilities aren’t as readily apparent.

The chief danger of using Ajax is not that it creates a new kind of security risk, but that it obfuscates old kinds of risk. By design, Ajax works in the background—often there’s no visible, UI-level indication Ajax activity is even happening. The most important Ajax-related security principle is simply to remain conscious that Ajax requests are happening and that they’re regular HTTP requests, which demand all the same precautions as non-Ajax requests.

Healthy Skepticism: ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required