0

I am designing a website, and I really want it to be as secure as possible. I have a private folder that cannot be accessed (.htaccess) which contains all my php classes (and similar structures), and a public folder that has my Javascript, CSS and a PHP file for the Javascript(via AJAX) to interface with, which in turn accesses the classes in the private folder.

Now here is my issue, and for the life of me I just cannot seem to get my head around this one:

If someone was to look at the js code they would see the commands / data being sent to the publicly available PHP Script (as described above), therefore getting an idea of what commands to use interface with that script and potentially gain access to stored data etc.

now I know that ajax wont work remotely etc but as long as you got the commands from the ajax script you could interface directly with it, so i thought i would do a referrer check on the interface script and that worked perfectly until I realized how easy it was to spoof your referrer header!

does anyone have any ideas on how to secure this. if this just sounds like complete garbage tell me and I'll try and break it down further.

Improve this question
0

6 Answers 6

Reset to default
2

AJAX and JS are client-based - everything they do, any user can do. If you expose an API method to AJAX, you expose it to the user - there's nothing you can do about that. That's your design choice. You could of course obfuscate your API calls, but that doesn't really do anything other than make it less user-friendly.

The bottom line: don't trust any user input, regardless of whether it came from your AJAX code or somewhere else.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

yeah i suppose no way around it is there, exposing the api to js is just as if i were exposing api to user directly, no way around it
@DuDeX exactly, it's like trying to hide image sources from your users - you want them to be able to see the images but unable to download them - it's just not feasible - if the browser (or JS, or AJAX) can see it, so can any user.
1

Well, someone scripting your site directly would only be able to access the same stuff he already can in UI, right?

If you have an script function doAdminStuff(), you would check server side if the user is logged in AND is an admin, before taking any actions

Improve this answer

3 Comments

sure i see what you mean, but if for example you see the logon ajax request, you could build a brute force attacker to the pw's etc
Exactly as you could do a brute force in a non-ajax resquest. It's up to you to handling this.
Last, when concerning security, don't think in ajax as a new type of request. In a more basic level, they are much like normal requests. There are anything that you can do with ajax that you can't do without it. So, just take the normal precautions.
1

Relax, dude.
This is SPARTA! WEB.
Every site in the world is "exposed" like this. That's the way the web works, Ajax or non-ajax based.
You can't help it, yet there is no harm in this. There is nothing to secure.

Improve this answer

4 Comments

maybe i need to lay off the coffee i think!!
+1 don't see what's with the downvote, this is a good answer and also true :)
i agree this is my question ill do the downvoting (if required) thanks
Haha, the 'sparta' bit made me chuckle :D
1

Here are my recommendations:

  1. Use SSL if you are not already.

  2. Use a (software) token for all requests that you want to protect.

  3. To discourage others from reading your javascript files, you can obfuscate them. Dean Edward's packer is a famous one.

  4. Write a script that sniffs logs and data for potentially bad activity. If you are not logging all the activity you need to (like if the apache logs are not enough) consider writing activity to your own log.

Improve this answer

1 Comment

I cannot see why this got a downvote, this is by long shot the best answer of the lot.
0

don't be paranoid, just filter input params, maybe you should switch on SSL so you ajax requests content will be hard to sniff, etc.

Improve this answer

2 Comments

ssl is ok but will not solve the issue, for example in my php-ajax interface i have a large switch/case command that gets a POST "CMD" from the ajax script along with some data to perform a task (the interface, when received a valid "CMD" from ajax will then get necessary method data etc from private classes), all it would take is someone to look at the .js and see the ajax requests and see all the different CMD's to interface with the PHP file with)
you need to provide model to for script to access your data so user can query your script and get data result, not some internal script path
0

Are you using the ajax-thing only for security-reasons or for any other reason? Because you can build up an architecture like this (a PHP-file as "gateway" and all other PHP-files in access-restricted folder) without using ajax as well. If you want to check out, you could take a look at the default folder structure of Zend Framework. This structure has the advantage that there is no logic visible for your users at all.

Also important is that IE (at least IE 6 & 7 I think) does not send a referrer at all by default so this probably wouldn't work anyway.

Improve this answer

1 Comment

i am using ajax for asthetics, its so nice to have ajax, looks smart

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.