Reputation: 18325
Protecting JSON in Javascript?
I used jQuery Ajax to talk to php script, then it returns JSON. Then, the returned JSON Array Object is assigned to Javascript Variable var myJSON = ajaxReturn;
Normally the returned JSON values are not visible in Page Source or Javascript File, as it is rendered on the runtime only.
But when i open the tools like, Firebug and call that variable in console, like: alert(myJSON); the results are popping out. I do NOT want it to be as this is something secret data.
- What is the best way to prevent/protect the
JSONat Javascript side?
Upvotes: 0
Views: 2014
Answers (4)
Reputation: 2390
You have just missed the game, Once you send the data from your server then its out of your limit. Because browser like firefox can do anything, So the point is everything which renders on the client is Public.
Even if there were some way to block Firefox from displaying the data in firebug, its easy for anyone to write their own web client that pretends to be a web browser and then they can do whatever they want with the data.
If you really want to hide json-data then dont send it using ajax-json. Use diffrent terminology or server-side programming.
Upvotes: -1
Reputation: 33139
What do you do with the JSON data? In all probability, you are feeding UI controls or subsequent calls to web services. So if you would protect (i.e., encrypt) the JSON, you would still need client-side decryption, and so your JSON would still be vulnerable -- as you can just do an alert(decryptedJSON) too.
There is no real, safe way to protect JSON if you have to be able to decipher the data in the browser.
You can of course protect the data while it is underway over the network by encrypting it, either using HTTPS or by explicitly encrypting the data server-side and then decrypting it using client-side JavaScript. But that does not protect it from being viewed in the browser.
A better option could be to encrypt and decrypt only on the server, if that fits your scenario. So you can get encrypted JSON data from a particular web service call, then feed that data into your next web service call where it gets decrypted on the server. That way, your client-side JavaScript doesn't need to decrypt, making your data safer. But if the purpose is to populate the UI, obviously this won't fit your needs.
Upvotes: 1
Reputation: 34895
If the purpose of your application is to store the JSON for client use, then you have no way of protecting it from being accessed. However you can do all modifications upon receiving the JSON and then discard it (not store it). Keep in mind that the request can still be intercepted the response can be read simply by using the networking tab of the browser developer tools.
Upvotes: 1
Reputation: 37137
Everything sent to the client side is public, this is the nature of front end development and you can't change it. It is impossible to hide stuff from the user if he decides to take a peek.
Upvotes: 1
Related Questions
- How can I insure jQuery submits the correct JSON keys in the headers using POST?
- Secure Ajax call On Rest Api
- JSON security best practices?
- How to secure ASP.NET REST with JQUERY client call
- How can I make the JSON data accessible only to my java script?
- How to "Secure" AJAX calls?
- Serving JSON and HTML securely to JavaScript
- How to make REST calls secure
- Sending data with javascript, how do I "protect" or "encrypt" it?
- Security of AJAX requests