Sending secure HTTP Post via javascript or jquery?

Question

the issue I have ran into here is regarding trying to send HTTP POST data securely (without anyone using a HTTP header viewer to see what data variables are being passed over?)

Is this possible?

This is the scenario:

Website A provides a 'free online database' - for all site users who don't understand or want to set up a database on their website.

Website B uses website A's service to send over customer's email addresses.

Website B needs to send POST data to Website A with a special 'APIkey' - This can't be shown to the public, else the public can use the APIkey and spam requests which Website B didn't authorise.

How can this be achieved, without using PHP on Website B? I'd prefer it to be as easy as possible (e.g. a javascript plugin) - but would I be able to secure it so visitors of website B couldn't see what POST data was being sent over?

Hope you understand and thank you in advance!

Answer 1

No, this is not possible.

JavaScript as you describe it would be executed in the browser. The browser is controlled by the user so there is no way you can hide the key used to sign the requests from a moderately skilled attacker.

As a side-note, using HTTPS would not help either. HTTPS would only help to hide the key from a 3rd party watching the communication. It would not prevent the user of the site from extracting the key from JS.

Answer 2

What you are asking for is like trying to take a banana and to make an apple.

This is just a big security hole. And is a big NO NO. Sever side only. Do not ever trust the clients (web broswer)