-4

I'm currently learning JavaSScript and jQuery, and I'm wondering how would one make it secure? For instance: preventing the user from seeing what's in the JSON or preventing the user from actually seeing the password/token to grab this information?

Danny Beckett
  • 20,529
  • 24
  • 107
  • 134
user2304642
  • 25
  • 4
  • What are you talking about? Where is the JSON? Where is it exposed and what sort of attack are you concerned about mitigating? – Matt Ball May 23 '13 at 00:59
  • SSL is the only way to guard from a third party gaining the knowledge. – Orangepill May 23 '13 at 00:59
  • Seeing it where? By observing traffic, or on the browser? If you are sending it to the browser and it can decode it, then so can the user. – loganfsmyth May 23 '13 at 00:59
  • You can't prevent the user from seeing anything in the DOM. All they need to do is open your page in Firebug. – Shadow Man May 23 '13 at 00:59
  • The user could just copy and paste the jquery ajax call and then grab the same data thus the data would not be secure. – user2304642 May 23 '13 at 01:11
  • What data are you transmitting to the browser that users shouldn't see? It's pretty much a given that anything sent to the client is fully available for (ab)use by that client. Write your code accordingly. – Matt Ball May 23 '13 at 01:14

4 Answers4

2

The answer is: there isn't one.

The longer answer is: you can encrypt your JSON feed. You can do anything you like in your JSON feed. However, all the decryption, all the keys and secrets of it, will be in your JS client-side file, which means that it all ultimately amounts to nothing (or rather, to obscurity).

Instead of doing this, consider hashing the password so someone can only verify against it instead of seeing it in plaintext. Simple steps like this help improve security. However, even that is not terribly good: it enables offline cracking of passwords.

Sébastien Renauld
  • 19,203
  • 2
  • 46
  • 66
1

It doesn't make sense to encrypt your input. JavaScript runs client-side, this means your decryption algorithm runs client-side. With a little tinkering anyone could figure out the algorithm and the keys used to decrypt the input.

Halcyon
  • 57,230
  • 10
  • 89
  • 128
0

If you are storing passwords in JSON, you should probably encrypt or securely hash the password. You could have a look at the following questions:

  • Password encryption at client side
  • Is it worth hashing passwords on the client side
    • Community
    • 1
    • 1
    0

    It's really easy for any curious user to see what's going on on the client side. You can display page source, inspect network queries with Chrome Developper Tools or Firefox Web Console.

    If you want to prevent data to be read by the user, you'll have to keep it server-side.

    Eric Citaire
    • 4,355
    • 1
    • 29
    • 49