Security
In a simple HTML website, developers will always have the luxury of keeping sensitive information to themselves. When you log in to the admin page of the website, the information that you see is solely for those who have proper authorization. Without username and password, hackers will have a really hard time figuring out how to access the information based on what they can extract from the webpage.
On the other hand, an Ajax based website does not have the same luxury. When an Ajax based website performs a function, it is not just the server the sees the source code, everyone will have the ability to see the information. With the source code, hackers can easily go further and go right directly to the server. That even goes to the information that can only be accessed by web administrator. Even without the admin username and password, hackers could easily bypass this authorization requirement and go directly to the information found in the server.
This usually happens when you translate HTML to an Ajax-based website or “Ajaxifying” the webpage. You have to remember an HTML based website is remarkably different compared to an Ajax based website. That means the administrative functions in HTML will not perform like in Ajax. As we have said the source code and basically most of the functions in Ajax is available to the user. Even though they do not have the faint idea of what the user name and password is. So imagine the things they should be able to access – user statistics, personal information and of course credit card information, the hackers favorite information.
If you are thinking what I am thinking, my initial reaction to this problem would be to keep the information hidden by placing the functions and information I am about to access in a non-shared folder. That seemed reasonable since a non-shared folder cannot be accessed by anyone. But I was wrong, way wrong. You see, the non-shared folder is placed in the server which is the exactly the same place hackers are accessing. Do not think that if you keep the folder in an obscure location will keep the hackers from accessing sensitive information. You are just buying time and more often than not, it will never protect any information at all.
So what can you do? Fortunately, there is something that you can do to ensure you that some of these functions cannot be accessed. Each of the function should have an authorization before it could be modified or accessed. It is going to be challenge especially when you have so many functions to deal with. Remember there are so many things that you have to reconfigure that it is going to be really hard to built an authorization one by one. But this is very important considering the vulnerability of your Ajax based website.
The solution to your problem is a very simple but very tiresome. But that is the only price that you have pay if you wanted to create a secure website. Always remember that an HTML does not have the same authorization capacity with an Ajax based website.
