Best way to protect integrity of ajax request

Question

I am building a Drupal website with a lot of user-specific information that will be posted using jQuery/ajax. The information it self is not very sensitive, it is just impor

Answer 1

There is absolutely no way to prevent someone from making "fake" requests. You just have to think this way:

If my web browser can make this request, anyone (manually or not) can make it.

If you put some kind of encryption on the user-side, then it'll be easy for anyone to get how you made your encryption, and then do the same manually. For example, when you are talking about hashes:

hash(session id for the current user, "secretkey")

Your secretkey is not secret, because it's inside of a javascript file.

The only thing you can do is to throw a spanner in the "hacker"'s works. For example, you can get this secretkey from an AJAX request. This secret key would be unique and deleted on every successful request. In a more general way, you'll have to move the logic of your application as close to the server-side.