How can I validate/secure/authenticate a JavaScript-based POST request?

Question

A product I\'m helping to develop will basically work like this:

• A Web publisher creates a new page on their site that includes a

Answer 1

Give people keys on a per-domain basis.

Make people include in the requests the hash the value of the [key string + request parameters]. (The hash value should be computed on the server)

When they send you the request, you, knowing the parameters and the key, can verify the validity.

Answer 2

The primary weakness with the system as you described it is that you are "given" the page content, why not go and get the page content for yourself?

1. A Web publisher creates a new page on their site that includes a script from your server.
2. When a visitor reaches that new page, that script sends a get request to your server.
3. Your server goes and gets the content of the page (possibly by using the referrer header to determine the source of the request).
4. Your server processes the text content and returns a response (via JSONP) that includes an HTML fragment listing links to related content around the Web. This response is cached and served to subsequent visitors from a server side cache / proxy
5. When the TTL for the cached version expires, the proxy will forward the request on to your app and the whole cycle starts again from step 3.

This stops malicious content from being "fed" to your server and allows you to provide some form of API key that ties requests and domains or pages together ( i.e. api key 123 only works for referrers on mydomain.com - anything else is obviously spoofed ). Due to the caching / proxy your app is protected to some degree from any form of DOS type attack as well because the page content is only processed once every time the cache TTL expires ( and now you can handle increasing loads by extending the TTL until you can bring additional processing capability on). Now your client side script is insanely small and simple - no more scraping content and posting it - just send an ajax request and maybe populate a couple of parameters ( api key / page ).

Answer 3

Can the web publisher also put a Proxy page on their server?

Then load the script through the proxy. Then you have a number of possibilities where you can control the connection between the two servers, add encryption and things like that.

What is the login system? What about using a SSO solution and keeping your scripts separate?

Answer 4

How about:

Site A creates a nonce (basically a random string), sends it to your site B that puts it into the session. Then when the site A makes the POST request from the site it sends the nonce along with the request and the request is only accepted if the nonce matches the one in the site B's session.