Download Securing Ajax Applications by Christopher Wells easily in PDF format for free.
People are flocking to the Web more than ever before, and this growth is being driven by applications that employ the ideas of sharing and collaboration. Web sites such as Google Maps, MySpace, Yahoo!, Digg, and others are introducing users to new social and interactive features, to seeding communities, and to collecting and reusing all sorts of precious data. The slate has been wiped clean and the stage set for a new breed of web application.
Everything old is new again. Relationships fuel this new Web. And service providers, such as Yahoo!, Google, and Microsoft, are all rushing to expose their wares. It’s like a carnival! Everything is open. Everything is free at least for now. But whom can you trust? Though mesmerized by the possibilities, as developers, we must remain vigilant for the sakes of our users.
For us, it is critical to recognize that the fundamentals of web programming have not changed. What has changed is this notion of “opening” resources and data so that others might use that data in new and creative ways. Furthermore, with all this sharing going on we can’t let ourselves forget that our applications must still defend themselves. As technology moves forward, and we find our applications becoming more interactive—sharing data between themselves and other sites it raises a host of new security concerns.
Our applications might consist of services provided by multiple providers (sites) each hosting its own piece of the application. The surface area of these applications grows too. There are more points to watch and guard against expanding both with technologies such as AJAX on the client and REST or Web Services on the server. Luckily, we are not left completely empty-handed. Web security is not new.
There are some effective techniques and best practices that we can apply to these new applications. Today, web programming languages make it easy to build applications without having to worry about the underlying plumbing. The details of connection and protocol have been abstracted away. In doing so developers have grown complacent with their environments and in some cases are even more vulnerable to attack.
Before we continue moving forward, we should look at how we got to where we are today. In 1989, at a Conseil Européen pour la Recherche Nucléaire (CERN) research facility in Switzerland, a researcher by the name of Tim Berners-Lee and his team cooked up a program and protocol to facilitate the sharing and communication of their particle physics research.