Skip to content Skip to sidebar Skip to footer
Home / Global / Javascript / Security / Variables

Javascript Global Variables - Protection

Post a Comment
I am using some global variables on a web application, built on Html/Javascript. I am using these variables across pages (or portions of them), and sometimes they are used as post

Solution 1:

There is nothing different about this from any web application, from a point of view of security.

Anything sent from the browser must be treated as untrusted by the server. This includes URL parameters, form post data, cookies, http headers and anything controlled by javascript. All these items can be manipulated by an attacker.

Essentially, it doesn't matter what the values are in the client, you only need to worry about them when they hit your server in the form of a new HTTP request (this includes XHR). Until that point, variables with bad values can't do any damage.

Ensure your server can correctly authenticate the current user and only allow them access to data and actions that they are authorised to perform. Ensure that all data received from the browser is checked to be correct (if known) or of the correct datatype and within expected limits, rejecting the data and aborting the action if it is not.

Solution 2:

if you use jquery, you can use $.data()

With this, you can associate the data with an element, thus a unauthorized user will not be able to access it

Solution 3:

Javascript has runtime type identification (everything is a var like visual basic), its a loosely typed language.

Javascript has its own security model though

  1. User cannot access files (r/write)
  2. It cannot access or look at user location, files, open windows without demand etc

It is not possible to protect the source of your javascript file either or even pwd protecting it as this is better done server side.

Even encryption or decryption doesnt work because somehow you need to tell your users the key

Worse, JavaScript can self-modify at run-time - and often does. That means that the security threat may not be in the syntax or the code when it's delivered to the client, but it might appear once the script is executed.

There is no JavaScript proxy that parses and rejects malicious script, no solution that proactively scans JavaScript for code-based exploits, no external answer to the problem. That means we have to rely on the browser developers to not only write a good browser with all the bells and whistles we like, but for security, as well.

You may like these posts

Post a Comment for "Javascript Global Variables - Protection"