Best way to protect integrity of ajax request

Question

I am building a Drupal website with a lot of user-specific information that will be posted using jQuery/ajax. The information it self is not very sensitive, it is just impor

Answer 1

You cannot do what you're trying to do. Basically, you're trying to verify that one component (your form) on an untrusted and uncontrolled client is not tampered with by another component on that same client. You don't control the client. You can come up with all sorts of methods to make it harder for someone to do this on their client, but in the end you must expose how you're doing those integrity checks to the client. Whatever you do in your form scripts can be read and understood by the person on that client (it has to run on the client, so whomever is interacting with the client can reverse engineer anything you're doing to recover the techniques used and any keys/etc that you have to enable your scheme).

Basic rule of web application security is that you cannot control what's happening on the client, so you cannot trust client-side verification/security schemes like this.

In the end, it's unlikely that the protection offered by such a scheme would be worth the time and investment to implement it. Someone who is determined to break it will be able to.