In building out applications that have majority of the UI events driven by Ajax calls we create a better UX but there is additional security risk involved as there is more information exposed to the user browser then stored on the server. Specifically, identifying values.
Aside from additional back end validation - I'm curious what other "best practices" exist out there when passing IDs around on the client. I've seen thing开发者_运维问答s like hashing or encrypting the id before it goes out to the client but didn't know if any other options existed.
This issue reminds me of how WCF structures Transport (SSL) versus Message security. The more layers of security you have, the better off you will be in the long run. If your door only has a knob handle lock and not a deadbolt, how secure are you?
Your best bet is to use Transport (SSL) and Message protection on the elements you think are sensitive to your application. You need some identifiable token, but you should always store the token encrypted - just as you would if you were storing client cookies. Don't allow users to interrogate IDs you wish to keep private.
Encryption schemes vary - but you can implement any you feel provide the protection level you seek.
As far as I know, using https is best practice to send/receive important information.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论