jQuery GetJSON Security Issues. Copying URL and pasting in the browser

Question

I am using the jQuery GetJSON call in my ASP page. It is something like the following code:

$.ajax({
    url: myUrl/myPage.aspx?callback=BookARoom,
    dataT         


        

Answer 1

To prevent your average user from doing it, require it to use a POST instead of GET as the HTTP verb (the requirement must be set server side) and type: "POST" should be used in your ajax call.

To prevent your "advanced" user from spoofing it, the short answer is: you can't. There are ways around anything that you can come up with. Consider using a CSRF token to prevent others from embedding the link in another website.

Answer 2

There are two problems here.

First problem: GET requests are supposed to be safe. There are lots of things that can trigger a GET request. If you are changing state based on a GET request, your code is dangerously broken. Use POST.

Secondly, other websites can cause your user to make requests to your website. This is known as Cross-Site Request Forgery. The typical solution is to require a nonce with each request. Because the nonce is unknown to the other website, they can no longer forge requests. The link I provided will give you further reading on alternative solutions.