ABSTRACT
Securing JSON responses from hijacking on the server has two main requirements that need to be met as part of application architecture. These are:
• Ensure a properly formatted JSON object • Use POST to retrieve sensitive data via JSON
Another way to put this is: • Never return JSON arrays • Never use GET requests for sensitive data
A properly formed JSON object is not executable by JavaScript. A JSON array is executable by JavaScript. Using POST only to return JSON objects prevents remote scripts from obtaining private data via a GET request and authentication cookie.