Is ajax post using jquery secured?

Question

I would like to ask this because if no quite sure that it secure.

I am planning on changing my page to ajax based registration. So my data will be inserted using jquery ajax post.

But if someone uses firebug and see where my post is being sent, they can use other form of firefox addons to post data on that url and can easily register without going to my page.

Although I can validate the request first where it is comming from though but that would be extra codes and work.

I will also add server validations for my form since someone can register without validation using the direct url that they will see on firebug.

I just wanted to know if there is already a standard procedures in applying ajax based data post.

But with ajax based select / fetch is cool and very useful.

Currently this is what I am planning on doing on my registration page.

1. validate that all request's must come from my registration page.

   • might use a transaction / request code
   • might use cookie
   • might use session
   • might use date time comparisson

2. if validation fails I should have a form validation on server side to clean my the posted data before inserting to db

Answer 1

If a user can use their browser to register on your site via Ajax, they can spoof the registration using some other programming language. There isn't anything you can do to make it so they can only register from your site via Ajax.

You can implement tricks to make it difficult for them to figure out, but you can't make it impossible. They can spoof the referrer, load other pages to get the required cookies/session variables, spoof Ajax request headers etc.

Answer 2

Never trust a UI.

Whether you do an Ajax post or a standard post, people can figure out what you are posting and create their own client. Even if you use https, the person controlling the browser can see what is posted and decipher the protocol.

You need to create your service so that it is not vulnerable to a user handcrafting a client.