New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Best Way to Hide URL in $.ajax - Secure your Webpage
fresher_06
Member
Hey Everybody..
I are working on my website where I am using lots of $.ajax in jquery .. but the url section of it my link on which the POST request is going is visible.Something like below
$.ajax({
type: "POST",
url: "update_cust_results.php",
data: dataString,
Any suggestions .. how to hide this "update_cust_results.php" url .. In my update_cust_results.php page ,i have given that if that only go further if the user is logged in .. but thats just a basic security measure ..
any other good security mechanism from the gurus
Comments
Check login. No way to hide unless you post to page and load .php with require_once()
Go.php?do=something
//Go.php
If match load file etc
(on phone) doesnt really hide anything just more confusing I guess
even javascript encode isnt usefull. But more confusing again
Add Ajax check to your script http://davidwalsh.name/detect-ajax
Hiding URL has never been a security measure (even a basic one). You can authenticate requests being sent to an URL though.
Anyone with firebug plugin can track the ajax request URL.
@fresher_06 why exactly do you want to "hide" the URL?
security by really weak obscurity
You need to add security to your PHP file. AJAX passes session data, so do user permissions checking, CSRF protection, blah blah. AJAX isn't going to magically protect you if you can hide the filename somehow.
No. Whatever you're doing stop now!
Just fix update_cust_results.php
@vedran .. what all security measures i can put in "update_cust_results.php".. at least the few generic ones .. I have the basic user authentication stuff .. but thats all i have right now ..any more suggestions..
Use a form request token that's generated on every page load and stored in the user's session. Send the token in post data. Make sure the posted token matches the session token.
not possible to hide specially when you have firebug turned on
Like others have said trying to hide things isn't going to work. It's trivial to use a proxy tool like Fiddler to watch all the traffic.
Do good authentication and then your best protection is usually handing random string tokens back and forth. When you page loads include a random string token that is sent to update_cust_results.php. On the server side make sure the proper token is sent. If not reject it.
A great resource is at owasp.org. The technique I described above is covered under CSRF or cross site request forgery. Go and read that site and it's a good start fro writing secure code.