Hello and welcome to our community! Is this your first visit?
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    Jan 2013
    Thanked 0 Times in 0 Posts

    How to find out if my javascripts are secure?


    I'm not a coder however I've been supplied by a major US company some javascripts which should take clients from my website to another website.

    I hired a developer to implement them however he refused saying he thinks it would be an insecure way to transmit sensitive information.

    I emailed his response to the company who seem not to care and although I've repeatedly asked if the code is secure, they avoid answering.

    Is it possible to post the scripts so somebody can look over them and advise whether they're secure or not?

    The issue is that the company is a text and email marketing organisation with many resellers. My developer (who may be wrong) said if the passwords were intercepted, it would give access to marketing databases containing personal information, names, email, cell phone etc.

    And if they are not secure, it's the way the company has been advising their resellers to set up their systems for well over a year so it's not an isolated situation.

    After I repeatedly asked for clarification, they eventually came back with:

    I received some additional information from our developers. To sum it up we will need to turn on SSL which will provide additional security, but there are some downsides. Here are your options below:

    1. Setting up Proxy
    You can set up an Apache Proxy server and maintain it. We can access the server and set it up to host your reseller site. Maintenance of the server will rely on the customer.

    2. Redirecting URL
    Same Single Sign-on Process to xxx'x web server with different domain than the customer’s own domain with SSL. This may cause the browser to pop-up with a warning message stating that they are getting redirected to a non-secure web page.

    3. SSL
    This can be enabled on your hosted domain, but by turning this on. XP will not be supported on your platform. It is one of the limitations of having SSL activated.

    Let me know if you have any questions.

  2. #2
    Regular Coder
    Join Date
    Jan 2013
    Thanked 77 Times in 77 Posts
    Sure you can post it – but even without seeing it I tend to trust that programmer. JavaScript and sensitive information shouldn't usually go together.

  3. #3
    Regular Coder
    Join Date
    Apr 2012
    St. Louis, MO
    Thanked 101 Times in 101 Posts
    It also depends upon HOW JavaScript is redirecting with credentials. If it's using AJaX and POSTing the data via form through an SSL connection, that might not be too bad. No different than submitting a standard form through an SSL encrypted connection.

    But if it's just using clear-text URL parameters - yeah, that's a "Bozo no-no".

    If anyone knows of a website that can offer ColdFusion help that isn't controlled by neurotic, pedantic jerks* (stackoverflow.com), please PM me with a link.
    The neurotic, pedantic jerks are not the owners; just the people who are in control of the "popularity contest".

  4. #4
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Sydney, Australia
    Thanked 932 Times in 919 Posts
    You set up all the security outside JavaScript - since not everyone has JavaScript you need to have it work securely for those without JavaScript - the JavaScript just makes it easier to use.
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts