Reputation: 16532
Security in Javascript API
What I am attempting to do is build a javascript library that will take an authenticated user on an external website and securely pass a few pieces of identifying information to my server to retrieve web content which will then be served up in an iframe on the external site.
Now, my problem is that Javascript is not secure. Which is actually a big problem.
Assumptions
- The companies that own the external sites may have little to no IT infrastructure.
- I will not have access to their servers or code. For this reason, I'd just like to have them toss a javascript include and a few lines of html/javascript on the page.
- The external site can be in any language and hosted on any platform. My backend is .net 4.0
How do I securely get user details from the external server to my server while ensuring tampering is not going on? Any suggestions or ideas are welcome.
Upvotes: 2
Views: 895
Answers (2)
Reputation: 1237
The most secure way doing that is using flash. and It isn't so secured also.
The problem with JavaScript is that every input output from the user is available and since the user can see the source file (whatever the place that they are stored) you cannot hash those file.
You can use flash file as buffer. The remote server send the data to the JavaScript and the JavaScript send it to flash. since flash source code is not available without using decompile. the flash is getting the data and sending the data to your server hashed.
See how flxhr is working for more reference: http://flxhr.flensed.com/
Upvotes: 1
Reputation: 449425
As far as I can see, this cannot be done using pure JavaScript.
You will always have to talk to the remote server and ask it whether the user is actually really logged on. Anything you get from JavaScript is unreliable, as it can be freely forged.
You could have the remote server serve a random token to the JavaScript that it in turn sends to your server (just like a session ID). Your server could then ask the remote server whether the token is valid, and display the necessary data.
It won't work without some involvement with the remote server, though. No way around that.
Upvotes: 3
Related Questions
- Securing API requests from Javascript
- How to provide a secure authorization with ajax?
- Securing API in jQuery
- How to safeguard credentials when doing authenication for a javascript/jQuery API client?
- Securing JavaScript API
- How to accomplish a secure authentication in Javascript API
- Authentication model of a javascript app using ajax
- API key security in Javascript?
- Securing AJAX API
- jquery Authentication