0

If I am using Ajax call methods in my asp.net application for submitting some values, how I can protect these values from client side edit through browser?

Please suggest.

Praveen VR
  • 1,554
  • 2
  • 16
  • 34
  • Do everything client-side that doesn't affect anyone if the user temper it.Do everything server-side that need to be secure. – xxxx Jun 04 '15 at 06:42
  • See how facebook protecting their ajax calls. I am looking for that kind of ideas – Praveen VR Jun 04 '15 at 06:46

2 Answers2

1

There is no way to 100% protect client from changing values.

There is one simple thing you should do, it called obfuscation, it means, make your production public code(client side js) very hard to understand.

check this

Chen Kinnrot
  • 20,609
  • 17
  • 79
  • 141
1

I'm not sure if I'm interpreting this question correct, but here goes:

If you are looking to protect the values of variables from being edited or looked at by the console or such, you should look at scoping through IIFE (Immediately Invoked Function Expression).

From Greg franko's blog:

Since the anonymous function within our IIFE is a function expression and is not being assigned to a global variable, no global property is being created, and all of the properties created inside of the function expression are scoped locally to the expression itself.

This way, any variable you declare and set within this function can not be accessed simply through the window object that your console works in. Ben Alman coined the term, so google him if you are further researching the topic.

If you want to protect variables that are hardcoded in your code (such as login information to an external service?) I -think- you could protect these by removing them from your JS file and instead request these values through ajax from your server. Doing this and storing the requested values from inside an IIFE would protect them similarly.

A question you should ask yourself though: "Do I really need to send information to the client that I don't want the client to see?". It's quite counterintuitive to do this at all.

For example, in the case of needing credentials for a 3rd-party service: send a request to your own server instead, letting your server handle the request to the 3rd-party server (keeping the credentials server-side instead of on the client) and then returning the result of the 3rd-party server to your client. This creates a secure middle man that holds sensitive information and is inaccessible by just anyone visiting your site, but does incur a performance cost.

Ward D.S.
  • 536
  • 3
  • 11