2

I am working on an asp.net mvc web application, on the view i wrote the following JavaScript which calls an external web service :-

<script type="text/javascript">
$(function() {
$.getJSON("https://MyERPsystem.com/jw/web/json/hr/getsalary/byid?master_username=superadmin&password_hash=9449B5ABCFA9AFDA36B801351ED3DF66&employeeid=A200121",
  {
//code goes here
  },
  function(data) {
    $.each(data.items, function(i,item){
//code goes here
    });
});
}) </script>

So if the external web service implements https, then does this means that the master_username and password_hash inside the javaScript cannot be seen by external users? Best Regards

3 Answers3

6

HTTPS secures everything as it leaves the browser until as it enters the server.

The data is protected in transit so external users cannot access it.

It will not protect the data from people who control the browser, i.e. the rightful user and anyone who has compromised the user's system.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • so this means that in my case the "master_username" & "password_hash" will be exposed to clients.?. –  Nov 12 '12 at 13:45
  • 1
    @saveingsaving — Yes. You are giving them to the client so it can send them back. – Quentin Nov 12 '12 at 13:47
0

Using HTTPS means attacks like MITM can't be achieved (at least not that easily). Anyways, keep in mind that the data that will end up in the client side still can be accessed from the machine itself.

alexandernst
  • 14,352
  • 22
  • 97
  • 197
  • so this means that in my case the "master_username" & "password_hash" will be exposed to clients.?. –  Nov 12 '12 at 13:45
0

I thought that only the internals to the http request are encrypted. The actual URL and Querystring information are not. Probably worth double checking though. Try using something like fiddler or wire shark to inspect the http request internals

Kevin Up
  • 791
  • 1
  • 6
  • 11