PART II
Chapter 7: Security Concerns 331
secret to the end user where it could be discovered. While this approach certainly is far from
perfect, it’s better than sending requests with no integrity checks at all!NNOT EOTE The Content-MD5 header has the added benefit of indicating the specific content delivered
in a small amount of data. This way, if an indexing engine were to refetch the content, they could
tell simply by looking at this header if they should bother parsing the document. Whether this is
actually implemented in common search bots is another question, but it is certainly an enabling
technology.Web Services and Ajax: Security’s Pandora’s Box
If there is one thing you should have learned by now in this chapter, it’s that you really can’t
trust anyone on the Web. Every site can be co-opted to attack you via an XSS or CSRF
exploit. However, if you keep to yourself and reject data that doesn’t meet your criteria of
what is allowed you should be okay—but that’s not very Web 2.0 of you. Don’t you want to
consume all those rich Web services that are out there to be offered? So let’s take a brief
moment to discuss this topic in light of security before getting to it again later in Chapter 10.FIGURE 7-16 Response signatures in action