Reputation: 1607
Encrypt data sent in Json in ASP.NET MVC
I would like to pass broad set of data from SQL Server via JSON, so I can do Ajax calls on it from the client. I've just started with Ajax, so I'm doing basic examples - per these examples one can easily view e.g. in Fiddler the entire JSON that was sent. How would I go about encrypting the passed data, so the view can use it, but it is not disclosed to the public? Is it feasible at all, and if so - how to do it?
Below is some code, that I use for the excercises. If I can get some idea based on this basic example or be redirected to a good reading - both options would be very helpful.
Controller
public JsonResult OutputToJson() {
var students = _db.Students.ToList();
return Json(students, JsonRequestBehavior.AllowGet);
}
View
<div id="AjaxDiv"></div>
<script type="text/javascript">
$(document).ready(function () {
$('#btnGetStudents').click(function () {
$.getJSON("/Student/OutputToJson", null, function (data) {
var div = $('#AjaxDiv');
$.each(data, function (i, item) {
div.append("row:" + i + "name: " + item.Name + ", grade: " + item.Grade)
})
})
})
})
</script>
Upvotes: 1
Views: 2018
Answers (2)
Reputation: 6872
I would suggest the using ssl for the communications. Ensure the http connection is secured, i.e. It is http so (secured). And enable authentication of some form to ensure no one except the intended people (authenticated) can invoke the webapi calls to retrieve the data.
This way any one intercepting the request cannot view the data as plain text.
This can be a matter of merely configuring the web application (I.e. No code changes) With absolutely no changes to you JavaScript code either.
Have a look at the following to get more details on securing webapi http://www.asp.net/web-api/overview/security
Upvotes: 1
Reputation: 34189
The answer is pretty simple: everything that comes to a client is supposed to be public and available to a client.
You shouldn't implement any "encryption" at client-side, and, honestly said, you won't be able to do this, because a client can read your JavaScript as well including encryption algorithm and keys.
You should only provide public data to your view so that you won't bother about its disclosure.
You can create a ViewModel and pass it. A view model represents only the data that you want to display on your view/page.
For example, implement class StudentViewModel, which will be the same as Student, but with public fields only, according to your data model and business logics:
public class Student { /* Shouldn't be disclosed */
public int Id { get; set; }
public int Grade { get; set; }
public string PasswordHash { get; set; }
public string Email { get; set; }
}
public class StudentViewModel { /* Why should I be worried about ids and grades? */
public int Id { get; set; }
public int Grade { get; set; }
}
Then, you can safely return an array of StudentViewModel not worrying about it. The user will see IDs and grades in his HTML, and if he looks at developer tools network logs - he will see IDs and grades, nothing else.
Upvotes: 3
Related Questions
- How to encrypt and decrypt data in MVC?
- Encryption in MVC 5
- How to encrypt data from server side and pass it to client side(javascript) and decrypt and use it
- Encrypting form data in MVC C#
- Encrypt data passed in View Model
- Secure JSON request from .Net to Javascript
- How can I encrypt the returned Json from an WebAPI controller
- How Do I encrypt post data while using ajax and JQuery?
- How can i encrypt the data send through $.AJAX - asp.net Mvc 3
- encrypt ajax service post request data