284 Part II: Developing an Ajax Library^
reasons, from monitoring data flows to observing trends to eavesdropping and looking for
useful information to direct manipulation of passing content.
In general, the most trustworthy attack surface presented tends to be the server-side,
which should be under your control and employing the security measures that you define.
The least trustworthy is clearly the client, which in many cases you do not know and have
no control over at all. The client side, which is where much of Ajax happens, is inherently insecure,
so you need to get used to a more vigilant security posture. The network is somewhere in
between, depending on what networks are used for transit, but it should be assumed that it
is pretty much untrustworthy as well. Because of the extreme degree of client insecurity in
Web applications, including those using Ajax, you simply cannot trust users or the data they
submit. Every action made by and every data item submitted by users must be verified if
you are going to stand any chance of decently securing an application. Furthermore, given
that the intentions of the end users are simply not known, they should not be armed with
any more information about your systems and application than necessary. How the
application was built and who runs it should be disclosed only to those who need to know.
In summary, these two basic ideas can be distilled into the following golden rule:Web Security Golden Rule: Disclose very little, trust even less.NNOT EOTE In this chapter, the word “hacker” is used to characterize anyone trying to gain unauthorized
access to a Web site or application. There is no attempt to address the perceived ethical and jargon
precision issues of this term, as in the ongoing “hacker” versus “cracker” argument. These
discussions do little more than distract people from the true point of discussion, which is simply
how to keep those not meant to access a system out of it.FIGURE 7-1 Wide range of attack surfaces