0

I am planning to use cryptosupport API to encryp/decrypt certain cookie keys bearing PCI/PII customer data. I am setting/reading these cookies at both client and server side. At server end (java), I am able to call API and encrypt/decrypt. How do I call the API from clientside (javascript) ? The usage is quite huge at clientside and I dont want to make ajax calls to server.

  • Is it advisable to use this API with requirement of encrypting cookie data used at both client and server side?
  • Or is there simpler encryption API for this purpose?
Saravana Prakash
  • 1,321
  • 13
  • 25

1 Answers1

3

It is a server-side AEM capability only.

And think about it--if you were able to call an API to decrypt a cipher on the client side (JavaScript), what security would it provide? End users could easily also decrypt the cipher and see the secret, so it really would defeat the purpose of having an encrypted secret.

See What encryption algorithm is best for encrypting cookies? which says

Since this question is rather popular, I thought it useful to give it an update.

Let me emphasise the correct answer as given by AviD to this question:

You should not store any data that needs encrypting in your cookie. Instead, store a good sized (128 bits/16 bytes) random key in the cookie and store the information you want to keep secure on the server, identified by the cookie's key.

Community
  • 1
  • 1
Shawn
  • 8,374
  • 5
  • 37
  • 60
  • :D yeah you are right. I was thinking a server side json like /libs/cq/i18n/dict.en_ca.json might be available for client-side to use. My bad and got that it ll defeat the purpose of encryption. Thanks for clarifying – Saravana Prakash Jan 19 '17 at 18:55