Hey guys, I'm doing an AJAX POST
call - but with FireBug you can see all the details (allowing people to bypass the form).
Any tips on Obfuscating this POST
(or something along those lines)?
My ajax call:
$.ajax({
type: "POST",
url: "php/query.php",
cache: false,
data: "action=getWordsByLetter&l="+letter,
success: function(data){
dataArray = data.split('|');
$('#words').html('');
for(var i = 0; i < (dataArray.length - 1); i++) {
$('#words').append('<li class="w">'+dataArray[i]+'</li>');
}
}
});
I would prefer to write the code myself as opposed to depending on a plugin :)
If bypassing the form is a major problem you can always include reCaptcha which should be included with each post of that particular form.
I don't know about the scenario you're solving, but this will make it more or less impossible to make programmatic POSTs.
The other way is as suggested a client side library. You can either use a client library and make it easy on yourself or write your own code that will do something similar.
As I understand your form has at least one field on it. And you should only process this form when it's been requested for firstly. What you could do is make this field's name completely dynamic:
If there's a risk that results will be consumed by bots you can always change the structure of your document in various ways (change container elements, change their CSS class names, IDs etc). Make a list of changes (several of them) and user permutations with that. You can more or less always achieve the result seems visually the same to a human, but a machine will have hard times reading it.
As obfuscation is client side, anyone can just look at your obfuscation code and tamper with the post - you don't gain much.
Secure the server side: Have a minimum word length and a flood protection (only accept X requests from a client in Y seconds), and make sure that people cannot get access to any data they should have not access to by simply asking for it.
Actually, I think you should make your server application so that it doesn't really matter if people bypass the actual form.
Always - ''always'' assume your client is corrupted, could be a bot, a hacker, etc. The service this POST is submitted to should simply not allow abuse.
Obfuscation is security through obscurity, and not a guarantee that nothing will be abused. In fact, in this case it might even make your application an order of magnitude more complex. In order to be effective, it'd have to 'randomize' the keys and values sent to your server, in which case the server itself should know which obfuscated key matches what value. In fact, I think you're not looking for obfuscations, but for encryption.