Is there a good way of securing an ASP.Net web service call made via Javascript on the click event handler of an HTML button?

Question

The purpose of using a Javascript proxy for the Web Service using a service reference with Script Manager is to avoid a page load. If the information being retrieved is potentially sensitive, is there a way to secure this web service call other than using SSL?

Answer 1

If your worried about other people access your web service directly, you could check the calling IP address and host header and make sure it matches expected IP's addresses.

If your worried about people stealing information during it's journey from the server to the client, SSL is the only way to go.

Answer 2

I would use ssl it would also depend I suppose on how sensitive your information is.

Answer 3

I would:

1. Use SSL for the connection
2. Put a time and session based token in the request
3. Validate the inputs against expected ranges on the server

SSL prevents man-in-the-middle

Tokenized requests verify that the request is coming from an active and authenticated session, within a reasonable amount of time from the last activity within the session. This prevents stale requests being re-submitted and verifies that it came from the source of the session (store the IP address, user-agent, etc on the server for session management).

Validating that the inputs are within expected ranges verifies that the request has not been doctored by the party that you are talking to.

Answer 4

Though SSL would be best, there are a number of client-side cryptography libraries that could alleviate some of the security concerns - see https://github.com/jbt/js-crypto for a nice collection