0

I have a simple call to a REST API using jQuery/AJAX. I realize that the parsing method here could be done more elegantly and will ask another question on that(although any comments here are welcome).

Current Question: Are there glaring or not-so-glaring vulnerabilities in using this method to retrieve and parse api data. Would using a server-side script to retrieve it first behind the firewall and save it outside the firewall to access it through this webpage be a marked improvement?

$(function() {


$.ajax({

    type: "GET",
    async: "true",
    crossDomain: "true",
    url: "https://data.usajobs.gov/api/Search?Organization=XXXX&WhoMayApply=All",
    headers: {
        "authorization-key": "XXXXXXXXXXXXXXXXXX",
        "user-agent": "[email protected]",
        "host": "data.usajobs.gov",
        "cache-control": "no-cache",
    }
}).done(function(data) {
    "use strict";
    var jts = [];
    var json_obj1 = (data.SearchResult.SearchResultItems);
    var json_obj2 = $.makeArray(json_obj1)


    $.map(json_obj2, function(v) {

        var start = v.MatchedObjectDescriptor.PositionStartDate;
        var start_f = moment.utc(start).format('MMMM Do YYYY');

        var end = v.MatchedObjectDescriptor.PositionEndDate;
        var end_f = moment.utc(end).format('MMMM Do YYYY');



        jts.push("<tr><td><strong><a href='" + v.MatchedObjectDescriptor.PositionURI + "'>" + v.MatchedObjectDescriptor.PositionID + ", " + v.MatchedObjectDescriptor.PositionTitle + "</a> &#187</strong></td><td>" + v.MatchedObjectDescriptor.JobGrade[0].Code + "-" + v.MatchedObjectDescriptor.UserArea.Details.LowGrade + " - " + v.MatchedObjectDescriptor.UserArea.Details.HighGrade + "</td><td>" + start_f + " - " + end_f + "</td><td>" + v.MatchedObjectDescriptor.UserArea.Details.WhoMayApply.Name + "</td></tr>");

        //show table on success()
        $('.job_table').css('display', 'block')
        $('#no_message').css('display', 'none')
    });

    var ls = jts.join("")

    $('.job_table tbody#live_jobs').html(ls);

    console.log(ls)


  });

});
Improve this question
6
  • So you're wanting to hide the authorization key? What exactly are your goals? If you're wanting to hide the auth key, then yes, you need to write a web service that accepts the AJAX request, gets the data from usajobs.gov, and then returns that data. Commented May 23, 2016 at 14:38
  • Just hiding the auth key for this post, it would have a valid auth key and user-agent value, sorry not to clarify that. Commented May 23, 2016 at 21:45
  • See stackoverflow.com/questions/11470389/…. You basically just need to do it server side. Commented May 24, 2016 at 0:26
  • I do not necessarily need to hide the auth key, I just hid it for this SO post, just as I did my email. I want to know about any security issues with this in-page method of using jQuery/Ajax that returns json to make an API call. Commented May 24, 2016 at 12:53
  • 1
    "there are a lot of SO readers that LOVES to opine about security, even when the question isn't about security"... is exactly why I posted my code and a general question, opening the discussion up to any and all input on the security of the code. Thanks for pointing out that if my auth key and email address are in the code, that someone can easily get it. Commented May 24, 2016 at 17:36
Related questions
2007
Abort Ajax requests using jQuery
1541
How to manage a redirect request after a jQuery Ajax call
1094
jQuery AJAX submit form
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.