ABSTRACT

Securing JSON responses from hijacking on the server has two main requirements that need to be met as part of application architecture. These are:

• Ensure a properly formatted JSON object • Use POST to retrieve sensitive data via JSON

Another way to put this is: • Never return JSON arrays • Never use GET requests for sensitive data

A properly formed JSON object is not executable by JavaScript. A JSON array is executable by JavaScript. Using POST only to return JSON objects prevents remote scripts from obtaining private data via a GET request and authentication cookie.

Registered in England & Wales No. 3099067
5 Howick Place | London | SW1P 1WG© 2024 Informa UK Limited