Tuesday, October 30, 2007

Five Ajax Security Tips

This is a nice piece TechTarget's Visual Basic News about five security tips for coding Ajax.

I have to say that the more things change, the more they stay the same. Is it deja vu, or what? These tips all preach about the evils of client-side code. Haven't we been through this before with Javascript? Oh, I forgot, Ajax is partly about Javascript.

Here's an excerpt from the article:

  • Use CustomErrors pages in the WebConfig file to prevent attackers from identifying an application's particular vulnerability.
  • Use Stored procedures or parameterized SQL queries instead of dynamically created SQL queries.
  • Perform input validation on the server side, not through JavaScript.
  • Use the Least Privileges account for your database and do not allow access to system data. This builds on the notion that security should be implemented in single layers, Lombardo stated: "You don't want them to be able to thwart one and then get to the data."


Post a Comment

<< Home