• caglararli@hotmail.com
  • 05386281520

How should web app developers defend against JSON hijacking?

Çağlar Arlı      -    0 Views

How should web app developers defend against JSON hijacking?

What is the best defense against JSON hijacking?

Can anyone enumerate the standard defenses, and explain their strengths and weaknesses? Here are some defenses that I've seen suggested:

  1. If the JSON response contains any confidential/non-public data, only serve the response if the request is authenticated (e.g., comes with cookies that indicate an authenticated session).
  2. If the JSON data contains anything confidential or non-public, host it at a secret unguessable URL (e.g., a URL containing a 128-bit crypto-quality random number), and only share this secret URL with users/clients authorized to see the data.
  3. Put while(1); at the start of the JSON response, and have the client strip it off before parsing the JSON.
  4. Have the client send requests for JSON data as a POST (not a GET), and have the server ignore GET requests for JSON data.

Are these all secure? Are there any reasons to choose one of these over the others? Are there any other defenses I'm missing?