Ajax submit form security?

Question

Suppose I have a form and I wanna prevent the user from submiting the form before validating, so that I use the event.preventDefault() in onsubmit :

// In my validation.js

$('#myForm').bind('submit', function(event){
   event.preventDefault();
   // I do the client-side validation here
});

You can see here, the user can edit the validaiton code after preventDefault() line. And they pass the validation (only client side)

What is the more secure way to make a form 'ajax' with client-side validation? I have the server-side validation too, but I just wanna ask how to make the client-side one harder to crack and more secure?

Answer 1

You should duplicate all your client side validation on the server. A better solution if using .NET would be to use Dataannotaion to decorate your entity classes with Required, Range, Regularexpression attributes. These attributes can be validated client side using jquery.unobtrusive.validate and then on serverside using ModelState.IsValid()

Answer 2

You can't make it completely secure client side, but you can increase security. Amongst other things you could do are:

• You could not have a submit button, just a normal button, only allowing form submission with JS enabled by doing the submission in JS bound to the click of the button.
• You could minify / obsfucate the JS to make editing harder.
• You could perform a pre-submit authentication check with the server requesting a key valid for a short period of time, which is then submitted with the form, so that the server side can verify that the submission was more likely to have come from your valid javascript.

Answer 3

It's never "more reliable" or "more secure". JS can be disallowed and there would be no validation on client-side.