3

I have a project with the following aspects:

  1. Frontend web application made in PHP, jQuery (Ajax) with a local database for aspects like end users authetication and configuration of the frontend web application.

  2. Backend REST Web Services (running in other domain and machine than frontend application), invoked by the frontend using jQuery and JSONP technique.

I need make that communication in a secure way and I don't know how. I hope someone can help me. I'll be very very grateful.

Asbjørn Ulsberg
  • 8,721
  • 3
  • 45
  • 61
Ronye Vernaes
  • 2,444
  • 1
  • 17
  • 21

2 Answers2

2

The easiest thing to do is to serve the Web Services through HTTPS and use HTTP Basic as the authentication method. This is simple to set up on both the client and server and supported by most front- and back-end frameworks.

If your web browser can speak HTTPS, Ajax (i.e. XMLHttpRequest) can speak HTTPS too. You can easily set the Authorization header in the Ajax requests, and the value can be built by just base-64 encoding a username and password retrieved from the user of the web application.

Community
  • 1
  • 1
Asbjørn Ulsberg
  • 8,721
  • 3
  • 45
  • 61
  • I'm not sure if you can make HTTPS restricted request from Javascript / AJAX layer directly. It seems I need to have a proxy server page at the frontend web application to comunicate with the backend webservice but I would like to have a method to avoid this. Do you know how make this HTTPS configuration over an AJAX application? Is there an alternative around? – Ronye Vernaes Sep 29 '11 at 16:53
  • No, you don't need a proxy server. Ajax uses your web browser to do the HTTPS request, so unless your browser can't do HTTPS, it will work just fine. – Asbjørn Ulsberg Sep 29 '11 at 16:59
  • I wasn't talking about a "proxy server", but a "proxy pattern" to make the AJAX request inside the same web app, delegating the backend request to the "proxy page". Otherwise, what you're saying seems to me very useful. I wasn't sure that I can make HTTPS request from AJAX application. I'm going to investigate this issue. Thank you very much! – Ronye Vernaes Sep 30 '11 at 16:53
  • I see. But yea, you don't need neither a proxy script nor server to perform HTTPS requests in AJAX. :-) – Asbjørn Ulsberg Sep 30 '11 at 17:19
1

There is no simple answer for this, however there a few methods that you can choose to employ based on your specific needs.

  • To secure web services you can authenticate requests using OAuth.
  • Never trust input to the server, sanitize everything. Details here.
  • Microsoft offers a generalized (eg. not Microsoft product-based) guide for building secure applications here.

Good luck!

Terry
  • 14,099
  • 9
  • 56
  • 84