View Full Version : Generally securing/hiding URLs in client-side code

14 Mar 2008, 12:47 PM
I wanted to tap the expertise out there on a general question that I have encountered while migrating a Web 1.0 application to using more ExtJS. This is a more general AJAX-related question.

My "client" is concerned that: while there used to be lots of php pages that were loaded server-side to render bits of html, now we are using Ext panels to load (and refresh) those bits. His concern is that this now exposes things like:

autoLoad: {url:"mod_acct_details.php", params: {custid: customerid, pgmode:"billaddr"}, text: "Loading..."}

in the client-side javascript. I have moved most of this into js includes, but the truth is that an only-slightly savvy bad person could read these too. The thought is that, with access to direct php scripts (and valid parameters), there is an increased chance to do damage and/or steal data.

Are there some obvious tricks that people are using to obfuscate this exposure? Is there something that I am missing? At this point we don't really want to get into compressing/"encoding" javascript...

Thanks for any feedback!

14 Mar 2008, 1:24 PM
I guess the point is that it shouldn't matter. Don't trust any data coming from the client.

In your case, when you receive the customer id, check that the logged in user has permission to access that customer. Check that it's a valid customer etc.

15 Mar 2008, 4:13 PM
I'll also mention that all of the same risks with links in HTML or PHP pages go with Javascript. Having all of the links in a Javascript file does not add any new security risks that aren't already there. Regardless of whether it is HTML or Javascript, the page is still telling the client what information to send where.

15 Mar 2008, 4:34 PM
webpages/javascript can be easily reverse engineered. Regardless of the technology || framework behind it.