I need to make an ajax call from a site to a service exposed on another site and server and I need to make it secure, so that I'm sure that the call is a genuine call from the client site and form.
What are the best methods to obtain this?
-
I would create a service on your server to do the call to the other site, and implement any type of sanitization there. Cross site ajax calls aren't even allowed on many browsers.
-
At the super-high end of the security spectrum, you could have the server for the client application create a signed message using a private key, and include that message in the html of the client. Then the ajax call would forward that message in its call at which time the ajax server could verify.
Optimally the message would change to include user id, timestamp etc, so that a known good message could not be saved off and reused by a malicious client.
-
There are a couple approaches.
What I would lean towards is to have your server proxy the request, so the client only talks to your site.
- The user (using your client) authenticates with your site.
- The client issues the request to your server
- Your server forwards the requests to the remote server
- Your server forwards the response back to the client
-
I'm not the owner of the client site, nor i know the server side technology. I can only include html / js on it. I'm developing a generic plugin that, via javascript returns content from my server.
0 comments:
Post a Comment